openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Saku Ytti <saku_at_nospam>
Date: Wed Oct 26 2011 - 20:14:18 GMT
To: Ángel González <keisial@gmail.com>

2011/10/26 Ángel González <keisial@gmail.com>:

> Only your ssh program instance can talk with your ssh-agent, because it
> is running locally. Without agent forwarding, programs on the other host
> can't connect to your agent, much less use your keys.

Quite, but question here is, when you need to have ssh-agent in two different
security domains. How do to do it.

Right now my solution seems to be that the higher security domain (domain1)
I'll add with ssh-add -c and the less secure I can add normally (I don't care
if domain1 evil admin hijacks and jumps to domain2 as me).

To decrease annoyance of constant prompt, I'll use ControlMaster for domain1.

It's not optimal solution, but it's something that can be done today.

Optiomal solution will inform ssh-agent who exactly is requesting the signing,
so user can decide if it's expected/allowed or not.

--   ++ytti _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev