bugzilla-daemon at bugzilla.mindrot.org
2011-Mar-07 18:32 UTC
[Bug 1876] New: Requests to use keys held by the ssh-agent have no way of indicating their context
https://bugzilla.mindrot.org/show_bug.cgi?id=1876
Summary: Requests to use keys held by the ssh-agent have no way
of indicating their context
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ssh-agent
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: dkg at fifthhorseman.net
When the ssh-agent receives a request to use one of the keys it holds,
it gets no context information from the requesting system about what
the key operation is to be used for.
My own typical workflow (as a user who actively monitors and confirms
the use of my keys by the ssh-agent) is to just correlate things by
time. e.g. "i just did action X, so i expect key Y to be used right
around now, so i'll say OK".
If there was a way to communicate the context of the use to the agent,
so that the agent could relay that to the user in whatever notification
or confirmation it provides, it would seem like a Good Thing.
If there was a way to do that with some measures of cryptographic
reliability (e.g. so that a malicious client couldn't say "please make
this signature for X" when it was actually intending to be used for Y),
it would be even better. I'm not sure i understand how that could
happen, though i'd be happy to consider proposals/suggestions.
I suspect this would require at least an extension to the ssh-agent
protocol, but i'm not sure where or how that would be done.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Apr-12 05:42 UTC
[Bug 1876] Requests to use keys held by the ssh-agent have no way of indicating their context
https://bugzilla.mindrot.org/show_bug.cgi?id=1876
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Severity|normal |enhancement
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Maybe Matching Threads
- Indicating context when asking the ssh-agent to use a key
- Processed: updating submitter e-mail address
- [Bug 2306] New: ssh-add 6.7 inserts RSA keys into the ssh-agent as "rsa w/o comment" instead of filenames
- [Bug 1545] ssh-keygen -R removes all comments from known_hosts file
- [Bug 1871] New: ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase