openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Saku Ytti <saku_at_nospam>
Date: Wed Oct 26 2011 - 19:43:10 GMT
To: openssh-unix-dev@mindrot.org

On 26 October 2011 22:29, Peter Stuge <peter@stuge.se> wrote:

>> Maybe 'ssh-add -c' is something I want (otoh it should prompt always?
>> Which would be annoying.
>
> I don't find it so annoying. It takes a few logins to get used to the
> extra prompt, but that's it. I use x11-ssh-askpass which is fast and
> shows an unobtrusive prompt.

Well I must agree with you, considering the alternative being insecure
by definition or not using ssh-agent. It doesn't seem like that big problem.

(I figured out why it didn't work for me, I'm using some gnome agent, which
likely does not support this or is just buggy)

Anyhow my coworker is quite seriously thinking writing patch, which
would display prompt for sign requests ncluding full path between
requested and localhost, (or for legacy hosts it would just prompt
that 'legacy hosts wants to sign with identity foo', no path, no host
displayed)

He said it's not exactly difficult patch to make. But how likely it would be
to get something like this integrated upstream?

Today I feel that most people simply accept the security risk, if you have
multiple ssh keys in your 'ssh-add' and you're not using -c, you are highly
likely accessing two or more security domains and are bridging the domains
together.

--   ++ytti _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev