Somewhat Safer SSH Agent Forwarding
canopic jug writes:
SSH key forwarding is to be avoided when possible. When it is not possibile to avoid, it is a good idea to limit what gets forwarded. Software developer Vincent Bernat describes one way by putting a simple shell script wrapper around the SSH client to provide a session with a unique, ephemeral key agent.
ssh-agent is a program to hold in memory the private keys used bySSH for public-key authentication. When the agent is running, sshforwards to it the signature requests from the server. The agentperforms the private key operations and returns the results to ssh.It is useful if you keep your private keys encrypted on disk and youdon't want to type the password at each connection. Keeping the agentsecure is critical: someone able to communicate with the agent canauthenticate on your behalf on remote servers.
ssh also provides the ability to forward the agent to a remoteserver. From this remote server, you can authenticate to anotherserver using your local agent, without copying your private key on theintermediate server. As stated in the manual page, this isdangerous!
Perhaps another approach would be to embed the wrapper in the ProxyCommand configuration directive, thus obviating the need for either a shell alias or shell function.
How and why have soylentils had to deal with SSH agent forwarding?
Previously:
(2019) How SSH Key Shielding Works
(2019) SSH Gets Protection Against Side Channel Attacks
(2018) Default OpenSSH-Portable RSA Private Key Encryption is Poor
(2017) SSH vs OpenVPN for Tunneling
(2016) Upgrade Your SSH Keys
(2015) Why Aren't We Using SSH for Everything?
Read more of this story at SoylentNews.