openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Peter Stuge <peter_at_nospam>
Date: Wed Oct 26 2011 - 20:49:00 GMT
To: openssh-unix-dev@mindrot.org

Saku Ytti wrote:
> > Only your ssh program instance can talk with your ssh-agent, because it
> > is running locally. Without agent forwarding, programs on the other host
> > can't connect to your agent, much less use your keys.
>
> Quite, but question here is, when you need to have ssh-agent in two
> different security domains. How do to do it.

You're basically not supposed to.

Instead, you let each hop in every domain talk with your agent
directly, without using forwarding.

> Right now my solution seems to be that the higher security domain
> (domain1) I'll add with ssh-add -c and the less secure I can add
> normally (I don't care if domain1 evil admin hijacks and jumps to
> domain2 as me).

The logic seems inverted. Add the less secure domain with -c.

> To decrease annoyance of constant prompt, I'll use ControlMaster
> for domain1.

It's not so annoying, really. But ControlMaster is a good idea in any
case! It makes everything faster too!

> Optiomal solution will inform ssh-agent who exactly is requesting
> the signing, so user can decide if it's expected/allowed or not.

Regardless of C skill you've studied the SSH and agent protocols by
now, so you know that this is not so simple.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev