openssh unix dev - Aug 2011 - Auth forwarding socket for single auth

Hi all,

authentication forwarding depends much on the environment it is used
in, but generally on shared hosts it is considered insecure, as this
documentation and common sense tell us:
http://unixwiz.net/techtips/ssh-agent-forwarding.html

Anyway, I have an auth forwarding security enhancement proposal. I
hope I am not duplicating someone else's words/thoughts, please notify
me if this is the case.

How about if we make the auth socket configurable in such way, that it
can be used for just SINGLE authentication, and then it gets closed
automatically?


Let me illustrate host sequence:
MyHost ---> IntermediateHost ---> FinalHost


------------------------------------------------
a) Usual session initialization flow:
------------------------------------------------
a.1 On MyHost, I execute:
- $ ssh IntermediateHost -A
- (this connects me to intermediate host and creates /tmp/ssh-...
socket for authentication forwarding)

a.2 Once on Intermediate host, I execute:
- $ ssh FinalHost
- (this gets me to final host with authentication via auth socket
which leads back to MyHost)

a.3 I do things on the FinalHost, but socket is still open op intermediate host


------------------------------------------------
b) Proposed session initialization flow:
------------------------------------------------
b.1
- $ ssh IntermediateHost -A --auth-single
- (--auth-single is made up)

b.2
- $ ssh FinalHost
- (As soon as 1 auth try is consumed (does not matter whether it fails
or succeeds) socket gets closed.)

b.3 I do things on FinalHost, BUT auth socket does not exist anymore
on Intermediate Host


------------------------------------------------
c) Speedup of proposed flow:
------------------------------------------------
c.1
- $ ssh IntermediateHost -A --auth-single -t "ssh FinalHost"


Annotations to proposed (b and c) flows:
- I understand that in example b) for a limited timeframe there is
still insecure socket available at Intermediate host, which can be
exploited by powerful-enough user on intermediate host
- In example c) this timeframe gets really down to minimum, which
leaves this scheme vulnerable only to a really dedicated and
determined cracker, but it should be admin's decision whether he wants
to use this or not in systems which can't afford such risk.


Please comment on this "proposal".

Best regards,
b.

On Tue, Aug 30, 2011 at 1:50 AM, Bostjan Skufca <bostjan at a2o.si> wrote:
[...]
> How about if we make the auth socket configurable in such way, that it
> can be used for just SINGLE authentication, and then it gets closed
> automatically?
A while ago I implemented an escape code (~a I think) that toggled
whether or not the client would accept forwarded agent requests, but
only as a local change.

You could possibly implement this policy as an external SSH_ASKPASS
program, however...
> Let me illustrate host sequence:
> MyHost ---> IntermediateHost ---> FinalHost
If you don't trust IntermediateHost and it has tcp port forwarding
enabled, you can also do something like this:

Host FinalHost
  ProxyCommand ssh -W %h:%p IntermediateHost
  ForwardAgent no
  ForwardX11 no

This will create an end-to-end encrypted connection between MyHost and
FinalHost and won't require agent forwarding on IntermediateHost.  (I
call this "stacked" connections, as opposed to "chained"
connections
which is what you're currently doing).

It'll also prevent the possibility of the traffic being compromised on
IintermediateHost (since in your scheme it's decrypted and reencrypted
on IntermediateHost, and thus subject to monitoring and/or change).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69
? ? Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.