On Fri, 2021-03-12 at 07:00 +0000, Mitchell Blank Jr wrote: > Hello. > > This week I've been experimenting with some hardening of the agent- > forwarding process. I know there have been other proposals in the > past, but I thought I'd share what I have in case they are of any > upstream interest. > > For easier review (and to spare your inboxes) I just opened it as a > PR on the openssh-portable github mirror here: > https://github.com/openssh/openssh-portable/pull/233 > > In short it's similar functionality to Timo Weingärtner's ssh-agent- > filter tool that many are probably already familiar with, but > integrated directly into the openssh client. > > I just did this for my own use-case, but if some of it is interesting > as an upstream addition feel free to re-use whatever parts you want. Filtering the keys by connection would block my usual use case: bastion hosts that only do rsa. My TPM is pretty slow at RSA so I usually use ecdsa for the onward connection to make the total time to connect to the interior host vaguely bearable. If -c enough, what about logging all connections so you can verify after the fact you weren't hacked ... a sort of transparency log approach which is very popular today? James _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
