https://bugzilla.mindrot.org/show_bug.cgi?id=3106
Bug ID: 3106
Summary: Please allow ssh to use one agent to authenticate, but
forward agent connections to another one
Product: Portable OpenSSH
Version: 8.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: [email protected]
Reporter: [email protected]
Background: forwarding connections to ssh-agent is risky; if a server
you ssh into is compromised (or if its administrator is malicious),
someone could abuse your forwarded agent to authenticate as you.
One mitigation is to use `ssh-add -c` when adding keys to the agent,
which causes the agent to prompt the user each time a key would need to
be used.
Problem: for people who use ssh a lot, `ssh-add -c` is very
inconvenient; it would be nice if we could be prompted only when a
*remote* client tries to use our key, not for local clients.
Unfortunately, ssh-agent can't differentiate between local and remote
clients.
Proposal: have the user run two agents; one for local clients, one for
remote ones. Keys would be added to the 2nd agent with `ssh-add -c`,
but without `-c` to the 1st one. ssh clients started locally would use
the local agent to authenticate; however, they would forward agent
connections from remote servers to the 2nd agent.
The ForwardAgent ssh_config directive could be extended to support
specifying a path to a socket in addition to the "yes" and "no"
keywords, in the same way IdentityAgent does. IdentityAgent would point
to the local agent socket (which doesn't prompt for key usage), and
ForwardAgent would point to the other agent socket (which would require
user confirmation when a remote client wishes to use a private key).
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
