openssh unix dev - Oct 2015 - Is there any solution, or even work on, limiting which keys gets forwarded where?

On Tue, Oct 20, 2015 at 01:31:46AM +0200, ?ngel Gonz?lez
wrote:
> On 16/10/15 12:46, hubert depesz lubaczewski wrote:
> >On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote:
> >>>  if the intermediary machine (the "jumphost") is
jumphost.example, and
> >>>  you are trying to reach bar.example.com (which is behind the
firewall),
> >>>  you would do:
> >>>    ssh -oProxyCommand='ssh jumphost.example -W %h:%p'
bar.example.com
> >We use jump host, but there are literally hundreds of hosts behind it.
> >And since I often need to run things on multiple hosts, I ssh to jump
> >host, start tmux session, and ssh from there wherever I need.
> You can run tmux locally. Don't worry about having to add the
> 
> -oProxyCommand='ssh jumphost.example -W %h:%p' each time. That can
be abstracted
> in the ssh_config. You can simply provide the name as you used on the
jumphos, but
> have ssh automatically connect to it "the right way".
If I run tmux locally, and my network connection dies, then I lose what
I was doing on remote host.
Tmux is there to protect me from losing work (let's say, in the middle
of datbase upgrade) due to network issues).
> If you are concerned about having to perform two ssh logins (automatically,
as
> performed by the key authentication) per connection, you can make it use a
master
> ssh connection so there's a single connection to the jumphost through
all the others
> are tunneled.
I'm concerned about safety (someone having access to my agent socket,
shouldn't really have access to all my keys), and convenience (not
having to retype the password every time).

Best regards,

depesz

-- 
The best thing about modern society is how easy it is to avoid contact with it.
                                                             http://depesz.com/

hubert depesz lubaczewski <depesz at depesz.com> writes:
> On Tue, Oct 20, 2015 at 01:31:46AM +0200, ?ngel Gonz?lez wrote:
>> On 16/10/15 12:46, hubert depesz lubaczewski wrote:
>> >On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor
wrote:
>> >>>  if the intermediary machine (the "jumphost") is
jumphost.example, and
>> >>>  you are trying to reach bar.example.com (which is behind
the firewall),
>> >>>  you would do:
>> >>>    ssh -oProxyCommand='ssh jumphost.example -W
%h:%p' bar.example.com
>> >We use jump host, but there are literally hundreds of hosts behind
it.
>> >And since I often need to run things on multiple hosts, I ssh to
jump
>> >host, start tmux session, and ssh from there wherever I need.
>> You can run tmux locally. Don't worry about having to add the
>> 
>> -oProxyCommand='ssh jumphost.example -W %h:%p' each time. That
can be abstracted
>> in the ssh_config. You can simply provide the name as you used on the
jumphos, but
>> have ssh automatically connect to it "the right way".
>
> If I run tmux locally, and my network connection dies, then I lose what
> I was doing on remote host.
> Tmux is there to protect me from losing work (let's say, in the middle
> of datbase upgrade) due to network issues).
>
>> If you are concerned about having to perform two ssh logins
(automatically, as
>> performed by the key authentication) per connection, you can make it
use a master
>> ssh connection so there's a single connection to the jumphost
through all the others
>> are tunneled.
>
> I'm concerned about safety (someone having access to my agent socket,
> shouldn't really have access to all my keys), and convenience (not
> having to retype the password every time).
The way to address that concern is to never forward the agent off of the
local machine (which can be acheived via the ProxyCommand approach),
then you don't even have to consider which remote hosts you trust with
which keys.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151020/e1fdedb8/attachment.bin>

On Tue 2015-10-20 03:08:11 -0400, hubert depesz lubaczewski
wrote:
> If I run tmux locally, and my network connection dies, then I lose what
> I was doing on remote host.
> Tmux is there to protect me from losing work (let's say, in the middle
> of datbase upgrade) due to network issues).
if you want that kind of protection, run tmux (or GNU screen) on the
remote host itself.  that will protect you from outages on the jumphost
as well.
> I'm concerned about safety (someone having access to my agent socket,
> shouldn't really have access to all my keys), and convenience (not
> having to retype the password every time).
a local ssh agent, not forwarded, with a controlMaster socket for the
jumphost, and your keys loaded with confirmation prompt seems like the
solution that would solve the most problems:

~/.ssh/config:
--------------
Host jumphost.example
 ControlMaster autoask
 ControlPath ~/.ssh/masters/%r@%h:%p
 ProxyCommand none

Host *.example
 ProxyCommand ssh -W %h:%p jumphost.example
--------------

Before connecting, ensure that ssh-agent is running and do:

 ssh-add -c /path/to/my/key

You'll have to type your password exactly once.

When you get a prompt for the use of your key, or a prompt to use the
control master, you can just hit "OK" or type "yes".

if your workflow is just to connect to one remote machine from your
local computer, do:

 ssh -t foo.example tmux

If your workflow is to connect to multiple machines, start with:

 ssh jumphost.example

and leave that session open while you do the rest of your work from your
local computer.:

 ssh -t foo.example tmux
 ssh -t bar.example tmux
 

hth,

        --dkg

On Tue, Oct 20, 2015 at 09:33:46AM -0400, Daniel Kahn Gillmor
wrote:
> On Tue 2015-10-20 03:08:11 -0400, hubert depesz lubaczewski wrote:
> > If I run tmux locally, and my network connection dies, then I lose
what
> > I was doing on remote host.
> > Tmux is there to protect me from losing work (let's say, in the
middle
> > of datbase upgrade) due to network issues).
> 
> if you want that kind of protection, run tmux (or GNU screen) on the
> remote host itself.  that will protect you from outages on the jumphost
> as well.
That's not an option, since I usually work on multiple hosts behind
single jump host at once.
Anyway - I need agent forwarding, and from what I gather - there is no
solution, or work on solution, that would allow me to limit which keys
gets forwarded. That's fine, really (kindof, but it's better to know
that there is no such thing than spend hours hunting for something that
just doesn't exist).

depesz