reply_to_list
2004-Jun-20 00:00 UTC
key management with ssh-agent, IdentityFile and info leakage
editors note: just now found something about IdentitiesOnly that might do the
trick. there's some other stuff in here too.
about preventing info leakage [keys for other sites] from appearing in the
client<-->server key negotiation with ssh-agent and IdentityFile.
ssh/config:IdentityFile - seems to indicate that only the specified key will
be tried, and if that key fails, no other keys will be tried. however, the
tests further below prove otherwise.
it would be great if IdentityFile would indeed try only the specified key by
doing a lookup for it in the list of the running agent and/or on disk.
preserve the existing [broken?] personality by adding something like:
IdentityFileExclusive key - try to locate and use this single key only.
IdentityFilePrefer (agent|disk|agentdisk|diskagent) - use this single
location or try this multiple location search order. for when the loaded
key differs from the disk key of the same name because some management
app is swapping keys around and a configurable source would be handy.
IdentityFileDefault (yes|no) - try the defkeys if available.
IdentityFileDefaultOrder (first|last) - in this order.
ordering - if multiple IdentityFile's exist in a section, try in the order
listed.
the ability to [un]lock specific keys in the agent in addition to the entire
agent might also be useful. ssh-add -l would then show which keys are locked.
ssh-add -[X|x] [key].
note - -i, -o should take precedence always. then deal with agent/files as
above.
1. cmdline
2. usercfg
3. syscfg
OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f
yeah, yeah...
test key generation...
cd ~/.ssh ; rm id*
ssh-keygen -t dsa -b 512 -N defpass -C defkey -f id_dsa
for key in a b c ; do
ssh-keygen -t dsa -b 512 -N ${key}pass -C ${key}key -f id_dsa_$key
done
ssh host 'cat > .ssh/authorized_keys' < id_dsa_c.pub
colon fields - the test state
srvkey - key contained in authorized_keys on the server
cfgkey - key specified in client config file for that host
agekey - key set loaded in agent, in load order
defkey - default key name
non colon fields - test result from this test number...
ssh -vvv host find /tmp 2>&1 | egrep '/tmp/ssh-|id_dsa'
ignore the tmp stuff, used for checking ForwardAgent.
agekey - this agent key was tried
cfgkey - this config key was tried
defkey - this key was tried
summary... exposed might not be the right word
first, all available agekeys are exposed
second, the cfgkeys are exposed
third, the defkey is exposed
fourth, other configured non-key methods are tried [not shown]
setup...
srvkey: c
cfgkey: a
defkey: id_dsa
test 1...
agekey: none
cfgkey a
test 2...
agekey: c
agekey c
test 3...
agekey: b
agekey b
cfgkey a
test 4...
agekey: a
agekey a
cfgkey a
test 5...
agekey: b a
agekey b
agekey a
cfgkey a
test 6...
agekey: defkey a c
agekey defkey
agekey a
agekey c
srvkey: b
test 7...
agekey: c defkey a b
agekey c
agekey defkey
agekey a
agekey b
512 d3:3f:d4:1c:b2:1e:53:1e:16:92:77:80:24:db:cb:78 id_dsa_c (DSA)
512 2b:f5:bc:22:fd:2e:97:c5:6b:24:9a:5e:32:a6:51:2e id_dsa (DSA)
512 82:18:ff:64:53:49:e5:b1:d4:4f:1b:4b:88:b4:cf:1e id_dsa_a (DSA)
512 30:12:77:c5:59:09:21:62:06:e7:d7:7e:bc:8a:aa:91 id_dsa_b (DSA)
Seemingly Similar Threads
- Hi - Regarding xend - xm create Error
- [Bug 410] New: when -i or IdentityFile is specified, agent keys are still tried first
- [Bug 410] when -i or IdentityFile is specified, agent keys are still tried first
- [Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)
- [Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)
Wisdom of the Ancients
