Re: Using confirmation of key usage per-host?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 23 Feb 2015, Johannes Kastl wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dear all,
> 
> bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify
> in a minute. And please excuse that due to the keywords being unclear
> no usable help was found on google & Co...
> 
> Assume there is a workstation, which connects to multiple machines,
> one of which is considered potentially unsafe. So, it would be nice to
> have agent forwarding to that machine combined with the confirmation
> option of ssh-add (-c). If the 'forwarded key' is used on this
> machine, the user is prompted on the workstation. An intruder cannot
> use the authentication information without the user knowing (at least
> that is how I understood the idea of agent confirmation).
> 
> Using ssh-add -c on the workstation together with setting
> 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour.
> 
> Unfortunately, this means the user is asked for confirmation, each
> time the keys is used. Even if it is just to connect to a safe machine
> or without agent forwarding.
> 
> Question:
> Is it possible to just get asked for confirmation, when the key is
> used on a machine, to which agent forwarding is used? Can this be set
> on a per-host-basis, like enabling/disabling agent forwarding in
> .ssh/config?

No and no.

You might want to check the mailing list archive for the thread
"Filtering which identities are forwarded by ssh-agent to a given host"
a couple of weeks ago for a related discussion.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux