>I mostly found this option mentioned in connection with agent forwarding, and that's use case I have. > >The benefit being that no one can use the 'forwarded' key/identity, unless I confirm it. So me forwarding my identity to a server getting hacked does not compromise security. I'm using the below script to prompt for confirmation when agent forwarding. Please keep in mind the following disclaimer: I don't really know what I'm doing. It works for me, but I don't fully understand all the moving parts and that it works *for now* could just be a happy accident. #!/bin/bash set -o errexit set -o nounset # This script is useful when forwarding your agent to an untrusted server. It works without X. # # To use this script, export DISPLAY=FAKE SSH_ASKPASS=/path/to/this/script SSH_ASKPASS_TTY=$(tty) # before you do eval `ssh-agent` (these variables should end up in the environment ssh-agent runs in) # Then add keys to the agent with ssh-add -c /path/to/key # ssh-agent will then call this script to ask you for confirmation when asked for that key. # # DISPLAY and SSH_ASKPASS must be set so this script will be called at all. Once we're in this script, # it is not clear what terminal we should ask for confirmation on, since ssh-agent detaches from the tty. # That's why we pass the tty in as an environment variable as well. # Connect stdin, stdout, and stderr to the tty exec 0<"$SSH_ASKPASS_TTY" exec 1>"$SSH_ASKPASS_TTY" exec 2>"$SSH_ASKPASS_TTY" # We're most likely being called when the tty is already in used by ssh, which changes tty settings. # First set the tty to something sane, so we can ask for confirmation. original_tty_settings=$(stty -g) stty sane # $@ is passed in from ssh-agent, and includes which key is being requested. echo "$@" # 5 second timeout read -t5 answer # Restore the tty settings that ssh was using. stty "$original_tty_settings" # Zero exit status means we approve this authentication request. if [[ "$answer" == "y" ]]; then exit 0 fi exit 1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
