Re: add keys and certificate to forwarded agent on remote host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 18/09/18, Peter Moody (mindrot@xxxxxxxx) wrote:
> On Mon, Sep 17, 2018 at 6:13 AM, Rory Campbell-Lange
> <rory@xxxxxxxxxxxxxxxxxx> wrote:
...

> > The problem is then to automate certificate issuance since it would be
> > pretty arduous for someone to keep issuing short-lived user
> > certificates.
> >
> > I was intrigued to read Uber's ussh announcement page and wondered if
> > this suggests a route for doing so:
> > (https://medium.com/uber-security-privacy/introducing-the-uber-ssh-certificate-authority-4f840839c5cc)
...

> > Assuming we write a program to generate a new key pair and associated
> > user certificate, how would one go about adding this to a forwarded
> > agent on the remote server hosting the program? Can ssh-add work on the
> > remote socket file? Is such an operation advisable?

...

> It's unclear if I'm ever going to be able to opensource usshca at this
> point, but I can assure that you it's definitely possible to add a
> private key (and certificate) to a forwarded ssh-agent. It might not
> be clear from the blog post, but usshca is itself an ssh server,
> albeit one that doesn't drop an authenticated user into a shell.
> openssh's sshd makes a remotely forwarded agent available locally via
> unix domain socket, but usshca just takes the remote agent and,
> assuming everything's a-ok, adds the key and cert.

Hi Peter

Thanks for the response, and the Go code snippets (unfortunately I'm not
a Go programmer). It would be great if usshca could be open-sourced in
future.

I've verified what you've written about adding keys and certificate to a
forwarded agent following Peter Stuge's helpful comments. Darren Tucker
pointed out that there is nothing to stop someone hacking their agent to
copy a key (even with a timeout), so the use of time-limited
certificates seems important.

The missing piece in the puzzle for our use case is extracting the user
from the connection by pairing their connection key to one in a user
database without having to create a local user for each remote ssh user
on the authenticating server. I assume the usshca ssh server deals with
this by allowing "username@usshca" connections for all known users? 

Regards
Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux