Re: add keys and certificate to forwarded agent on remote host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 17/09/18, Peter Stuge (peter@xxxxxxxx) wrote:
> Rory Campbell-Lange wrote:
> > Can ssh-add work on the remote socket file?
> 
> I expect that it will just work<tm>. The local socket is just a
> socket, and the protocol[1] message SSH_AGENT_ADD_KEY is the same.

Local:

	$ ssh-agent > /tmp/agent.env
    $ source /tmp/agent.env
    $ ssh-add ~/.ssh/id_user
    $ ssh -A remote

Remote:

	$ SSH_AUTH_SOCK=/tmp/ssh-1rVbCSbuDP/agent.3145 
	$ ssh-add newkey
	Identity added: newkey (newkey)

Local:

    $ source /tmp/agent.env
	$ ssh-add -l
	2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA)
	2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT)
	2048 SHA256:SZG...5hUQ newkey (RSA)

That worked perfectly, it seems.

> > Is such an operation advisable?
> 
> That's up to you. ssh-add decrypts the private key locally where invoked
> and transfers the key in a form immediately usable to the agent.
> 
> Once the agent has the key, it's not really possible to force the agent
> to remove it.

I guess one could set a short life on the remotely added key, such as:

Remote:

	SSH_AUTH_SOCK=/tmp/ssh-X85qP7jRtG/agent.4079 
	$ ssh-add -t 300 shortlifekey
	Identity added: shortlifekey (shortlifekey)
	Lifetime set to 300 seconds

Local:

	$ ssh-add -l
	2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA)
	2048 SHA256:32C...qYBs /home/user/.ssh/id_user (RSA-CERT)
	2048 SHA256:SZG...5hUQ newkey (RSA)
	2048 SHA256:7IS...JRi8 shortlifekey (RSA)

	wait 5 minutes...

	2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA)
	2048 SHA256:32Cv...qYBs /home/user/.ssh/id_user (RSA-CERT)
	2048 SHA256:SZGf...5hUQ newkey (RSA)


Thanks for the great pointers
Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux