Keith Winstein <kei...@cs.stanford.edu> 2017-11-08: > We developed a (prototype) tool that does secure agent forwarding and works > with Mosh. Would be grateful for testing and feedback: > https://github.com/StanfordSNR/guardian-agent > > Compared with traditional ssh-agent forwarding, this tool provides > more-constrained agent forwarding that we think could safely be enabled on > any connection. It works alongside any version of Mosh or SSH. Users run > sga-guard (the agent) on their local machine, in a separate window > alongside the interactive session. sga-guard prompts the user to approve > forwarded ssh requests from the intermediary host, either with an X11 popup > or in that second terminal window. Unlike with ssh-agent forwarding, the > agent can enforce limits on which intermediary host can run which command > on which servers. > > Based on feedback to this beta/prototype, maybe we can agree on a good way > to incorporate these techniques more deeply into Mosh. (Even if it's just a > mosh -A flag that sets this up automatically instead of needing a second > terminal window.)
This is an interesting project. However, note that all I'm looking for is for mosh to support a -A workalike of ssh -A. If it's not a drop-in replacement for ssh -A for typical use cases, or can be configured that way easily, then it's not the solution to my problem. Specifically, I am not interested in manually approving agent requests. The ratio of hassle to mitigated risk is unreasonable in my opinion. It addresses a narrow category of attacks while not helping against other attacks with similar prerequisites and risk (e.g. injecting commands into TTYs of SSH sessions from the compromised system, or replacing a legit auth challenge on the compromised server as it is being handed to the client machine's agent where it will be approved by the user). So unless the confirmations can be easily removed by configuration or patching, I won't be overly excited about this. Contrary to your README document, I don't believe the risks of agent forwarding through a compromised system are underappreciated. Rather, they are being conciously accepted, especially as they are not going away even with manual approvals. As a minor nitpick, I would prefer a solution that actually uses the same protocol and hence does not need additional network and firewall considerations on top of mosh. -Daniel -- Daniel Roethlisberger http://daniel.roe.ch/ _______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel
