Re: Filtering which identities are forwarded by ssh-agent to a given host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 02/02/15 00:18, Damien Miller wrote:
On Sun, 1 Feb 2015, Bill Nugent wrote:
Host network-a-gateway.example.com
         ForwardIdentity      .ssh/network-a-2014-10-12
and allow additional ForwardIndenty to allow additional keys.
It's not possible to do this unfortunately, but is a feature that I've
wanted for a long time. Implementing it required teaching ssh enough
of the agent protocol to filter requests sent through it, and doing
it exactly right so that users' agents aren't exposed when they connect
to a malicious server - so it's not without risk.
IMHO the way to go is not teach ssh the agent protocol, but modify the agent
protocol so that each request gets prepended the hostname requesting it
(forwarded connections would contain the full chain)

Then the agent itself would decide which keys to expose to such host.
"foo is available for any host", "Provide network-a-key only to
ssh.network-a.com and anything that passed through ssh.network-a.com."
"Key bar is shown to all hosts but a confirmation dialog will be shown to the user
pointing at the host requesting it.", and so on.

Regards

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux