bugzilla-daemon at bugzilla.mindrot.org
2019-Dec-20 22:25 UTC
[Bug 3106] New: Please allow ssh to use one agent to authenticate, but forward agent connections to another one
https://bugzilla.mindrot.org/show_bug.cgi?id=3106
Bug ID: 3106
Summary: Please allow ssh to use one agent to authenticate, but
forward agent connections to another one
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: korn-mindrot.org at elan.rulez.org
Background: forwarding connections to ssh-agent is risky; if a server
you ssh into is compromised (or if its administrator is malicious),
someone could abuse your forwarded agent to authenticate as you.
One mitigation is to use `ssh-add -c` when adding keys to the agent,
which causes the agent to prompt the user each time a key would need to
be used.
Problem: for people who use ssh a lot, `ssh-add -c` is very
inconvenient; it would be nice if we could be prompted only when a
*remote* client tries to use our key, not for local clients.
Unfortunately, ssh-agent can't differentiate between local and remote
clients.
Proposal: have the user run two agents; one for local clients, one for
remote ones. Keys would be added to the 2nd agent with `ssh-add -c`,
but without `-c` to the 1st one. ssh clients started locally would use
the local agent to authenticate; however, they would forward agent
connections from remote servers to the 2nd agent.
The ForwardAgent ssh_config directive could be extended to support
specifying a path to a socket in addition to the "yes" and
"no"
keywords, in the same way IdentityAgent does. IdentityAgent would point
to the local agent socket (which doesn't prompt for key usage), and
ForwardAgent would point to the other agent socket (which would require
user confirmation when a remote client wishes to use a private key).
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Dec-20 22:31 UTC
[Bug 3106] Please allow ssh to use one agent to authenticate, but forward agent connections to another one
https://bugzilla.mindrot.org/show_bug.cgi?id=3106 --- Comment #1 from Andr?s Korn <korn-mindrot.org at elan.rulez.org> --- Ah, I just found https://bugzilla.mindrot.org/attachment.cgi?id=3087&action=diff in https://bugzilla.mindrot.org/show_bug.cgi?id=1937, which seems to implement something similar. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Dec-20 22:36 UTC
[Bug 3106] Please allow ssh to use one agent to authenticate, but forward agent connections to another one
https://bugzilla.mindrot.org/show_bug.cgi?id=3106
Andr?s Korn <korn-mindrot.org at elan.rulez.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|NEW |RESOLVED
--- Comment #2 from Andr?s Korn <korn-mindrot.org at elan.rulez.org> ---
Ah, also found #2216, which is the same request. Sorry about the noise.
*** This bug has been marked as a duplicate of bug 2216 ***
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:10 UTC
[Bug 3106] Please allow ssh to use one agent to authenticate, but forward agent connections to another one
https://bugzilla.mindrot.org/show_bug.cgi?id=3106
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.