openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Daniel Kahn Gillmor <dkg_at_nospam>
Date: Wed Oct 26 2011 - 18:42:24 GMT
To: Saku Ytti <saku@ytti.fi>

On 10/25/2011 06:48 AM, Saku Ytti wrote:
> On 25 October 2011 13:28, Damien Miller <djm@mindrot.org> wrote:
>
>> to another host. The risk comes in when your _forward_ your agent to a
>> potentially-untrustworthy server. If you aren't forwarding your agent
>> then you don't need to worry.
>
> Quite. I desire to connect from domain1-server1 to domain1-server2
> and from domain2-server1 to domain2-server2, so forwarding is needed.

To be clear: agent forwarding is *not* needed in this scenario, and in
fact it is discouraged.

The better approach to this is what many people call "jumphosts", which
allow the ssh connection to terminate on your local machine, instead of
having the endpoint on the gateway machine.

so this pattern is bad:

 ssh -A -t monkey.example ssh banana.example

because the if monkey is compromised, the attacker can compromise your
connection to banana, and can make use of keys in your agent.

But this connection is good:

 ssh -oProxyCommand='ssh -W %h:%p monkey.example' banana.example

because your local machine is the endpoint for both ssh sessions, and
the only thing monkey.example can see is encrypted traffic.
furthermore, your agent is not exposed to monkey at all.

(note that -W was added to ssh recently -- i think in OpenSSH 5.5, so
you'll need a recent version on your local machine -- but you can
achieve the same effect with an older version of ssh if you have netcat
or socat installed on the intermediate machine).

Regards,

        --dkg

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev