Re: Using confirmation of key usage per-host?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2/23/15 11:45 AM, Johannes Kastl wrote:
Assume there is a workstation, which connects to multiple machines,
one of which is considered potentially unsafe. So, it would be nice to
have agent forwarding to that machine combined with the confirmation
option of ssh-add (-c). If the 'forwarded key' is used on this
machine, the user is prompted on the workstation. An intruder cannot
use the authentication information without the user knowing (at least
that is how I understood the idea of agent confirmation).

Using ssh-add -c on the workstation together with setting
'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour.

Unfortunately, this means the user is asked for confirmation, each
time the keys is used. Even if it is just to connect to a safe machine
or without agent forwarding.

Question:
Is it possible to just get asked for confirmation, when the key is
used on a machine, to which agent forwarding is used? Can this be set
on a per-host-basis, like enabling/disabling agent forwarding in
.ssh/config?

You'll need to run 2 agents if you want different agent behaviour. Sadly I don't know of any way to select which agent gets used in ssh_config - you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var.

--
Carson


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux