Re: Proposal for hardening agent forwarding

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 2021-03-12 at 07:00 +0000, Mitchell Blank Jr wrote:
> Hello.
> 
> This week I've been experimenting with some hardening of the agent-
> forwarding process.  I know there have been other proposals in the
> past, but I thought I'd share what I have in case they are of any
> upstream interest.
> 
> For easier review (and to spare your inboxes) I just opened it as a
> PR on the openssh-portable github mirror here: 
> https://github.com/openssh/openssh-portable/pull/233
> 
> In short it's similar functionality to Timo Weingärtner's ssh-agent-
> filter tool that many are probably already familiar with, but
> integrated directly into the openssh client.
> 
> I just did this for my own use-case, but if some of it is interesting
> as an upstream addition feel free to re-use whatever parts you want.

Filtering the keys by connection would block my usual use case: bastion
hosts that only do rsa.  My TPM is pretty slow at RSA so I usually use
ecdsa for the onward connection to make the total time to connect to
the interior host vaguely bearable.

If -c enough, what about logging all connections so you can verify
after the fact you weren't hacked ... a sort of transparency log
approach which is very popular today?

James


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux