Rory Campbell-Lange
2018-Sep-17 19:34 UTC
add keys and certificate to forwarded agent on remote host
On 17/09/18, Peter Stuge (peter at stuge.se) wrote:> Rory Campbell-Lange wrote: > > Can ssh-add work on the remote socket file? > > I expect that it will just work<tm>. The local socket is just a > socket, and the protocol[1] message SSH_AGENT_ADD_KEY is the same.Local: $ ssh-agent > /tmp/agent.env $ source /tmp/agent.env $ ssh-add ~/.ssh/id_user $ ssh -A remote Remote: $ SSH_AUTH_SOCK=/tmp/ssh-1rVbCSbuDP/agent.3145 $ ssh-add newkey Identity added: newkey (newkey) Local: $ source /tmp/agent.env $ ssh-add -l 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA) 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT) 2048 SHA256:SZG...5hUQ newkey (RSA) That worked perfectly, it seems.> > Is such an operation advisable? > > That's up to you. ssh-add decrypts the private key locally where invoked > and transfers the key in a form immediately usable to the agent. > > Once the agent has the key, it's not really possible to force the agent > to remove it.I guess one could set a short life on the remotely added key, such as: Remote: SSH_AUTH_SOCK=/tmp/ssh-X85qP7jRtG/agent.4079 $ ssh-add -t 300 shortlifekey Identity added: shortlifekey (shortlifekey) Lifetime set to 300 seconds Local: $ ssh-add -l 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA) 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT) 2048 SHA256:SZG...5hUQ newkey (RSA) 2048 SHA256:7IS...JRi8 shortlifekey (RSA) wait 5 minutes... 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA) 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA-CERT) 2048 SHA256:SZGf...5hUQ newkey (RSA) Thanks for the great pointers Rory
Darren Tucker
2018-Sep-18 00:19 UTC
add keys and certificate to forwarded agent on remote host
On 18 September 2018 at 05:34, Rory Campbell-Lange <rory at campbell-lange.net> wrote: [...]> Local: > > $ ssh-add -l > 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA) > 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT) > 2048 SHA256:SZG...5hUQ newkey (RSA) > 2048 SHA256:7IS...JRi8 shortlifekey (RSA) > > wait 5 minutes... > > 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA) > 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA-CERT) > 2048 SHA256:SZGf...5hUQ newkey (RSA)Note that as Peter pointed out, that timeout is implemented in the agent. Be aware that there is nothing stopping someone modifying their agent to keep a copy of the key, which may or may not matter in your use case. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Rory Campbell-Lange
2018-Sep-18 13:51 UTC
add keys and certificate to forwarded agent on remote host
On 18/09/18, Darren Tucker (dtucker at dtucker.net) wrote:> On 18 September 2018 at 05:34, Rory Campbell-Lange > <rory at campbell-lange.net> wrote: > [...] > > Local: > > > > $ ssh-add -l > > 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA) > > 2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT) > > 2048 SHA256:SZG...5hUQ newkey (RSA) > > 2048 SHA256:7IS...JRi8 shortlifekey (RSA) > > > > wait 5 minutes... > > > > 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA) > > 2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA-CERT) > > 2048 SHA256:SZGf...5hUQ newkey (RSA) > > Note that as Peter pointed out, that timeout is implemented in the > agent. Be aware that there is nothing stopping someone modifying > their agent to keep a copy of the key, which may or may not matter in > your use case.However, if we add a temporary key and associated time-limited certificate, I assume modifying the agent is less of a risk? Rory