Re: [Sshmgmt] Agent forwarding
Tatu Ylonen <tyl@ssh.com> Sat, 20 April 2013 18:21 UTC
Return-Path: <tyl@ssh.com>
X-Original-To: sshmgmt@ietfa.amsl.com
Delivered-To: sshmgmt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D4D21F8E96 for <sshmgmt@ietfa.amsl.com>; Sat, 20 Apr 2013 11:21:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.862
X-Spam-Level: *
X-Spam-Status: No, score=1.862 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwBZWqSnXXgr for <sshmgmt@ietfa.amsl.com>; Sat, 20 Apr 2013 11:21:49 -0700 (PDT)
Received: from ip-194-137-52-209.ssh.com (ip-194-137-52-209.ssh.com [194.137.52.209]) by ietfa.amsl.com (Postfix) with ESMTP id E57CC21F8D61 for <sshmgmt@ietf.org>; Sat, 20 Apr 2013 11:21:47 -0700 (PDT)
Received: from [192.168.0.101] (mee2436d0.tmodns.net [208.54.36.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ip-194-137-52-209.ssh.com (Postfix) with ESMTPSA id 9840F780145; Sat, 20 Apr 2013 21:31:57 +0300 (EEST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Tatu Ylonen <tyl@ssh.com>
In-Reply-To: <20130420122350.D670D80048@notatla.org.uk>
Date: Sat, 20 Apr 2013 21:21:49 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7512632-5544-47EE-88C1-C2D559E02700@ssh.com>
References: <20130420122350.D670D80048@notatla.org.uk>
To: peter@notatla.org.uk
X-Mailer: Apple Mail (2.1283)
Cc: sshmgmt@ietf.org
Subject: Re: [Sshmgmt] Agent forwarding
X-BeenThere: sshmgmt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This list will discuss SSH key management practices. The starting point will be to consider what to do with draft-ylonen-sshkeybcp" <sshmgmt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sshmgmt>, <mailto:sshmgmt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sshmgmt>
List-Post: <mailto:sshmgmt@ietf.org>
List-Help: <mailto:sshmgmt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sshmgmt>, <mailto:sshmgmt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2013 18:21:52 -0000
Almost all non-interactive use of SSH is without using an agent (though I am aware of some cases where people load a key with a passphrase into an agent in a script and use it through the agent). Thus I see agent forwarding primarily as an issue for interactive use. I agree with Peter that limiting agent forwarding is kind of difficult to deal with making the non-SSO usage more difficult. I believe at least OpenSSH disables agent forwarding by default, and my understanding is that Tectia SSH has provided the ability to gain visibility to what is done with the agent and restrict it for years (at least on Windows platforms). Overall, I see this as a user interface issue for clients, rather than a protocol issue or even an issue to be addressed in the key management draft (the main substance of the draft is around provisioning and managing access to systems using SSH keys throughout the lifetime of such access). I could of course add some language about agent and the use case I mentioned in the first paragraph in Section 2, but my preference would be to keep Section 2 as short as possible, because the lead-in to the real substance in Sections 3-7 is already a bit lengthy (but needed in my opinion as many people are not so familiar with how authentication in SSH actually works - I also considered moving some or all of Section 2 to an appendix but in the end decided to leave the material where it is but try to keep it reasonably short). Tatu On Apr 20, 2013, at 3:23 PM, <peter@notatla.org.uk> <peter@notatla.org.uk> wrote: > Simon Josefsson writes: >> Briefly, if a remote system has been compromised, and you connect to it >> using 'ssh -A', the remote system can use your credentials to login to >> other systems. Normally there is no user feedback of what is going on >> either. I've seen uses of 'ForwardAgent yes' in people's .ssh/config >> which is risky and IMHO a problem worthy of attention. > > This is a risk but it's difficult to deal with without removing the > non-interactive SSO that the agent provides and is the reason people > use it. > > Also from the man page: "Several identities can be stored in the agent; > the agent can automatically use any of these identities." > > What I think could be done are: > > a) logging by the agent when it computes a challenge > > The log to include the host public key which the > challenge proves correct and fresh. I'm guessing that's > possible (even if it meant reworking the challenge) > but haven't studied it. The aim is that when you are > blamed for a login you show in the agent log how it was > assisted by the agent during contact with some other > list of hosts - one of which is now suspected of using > the agent without user consent. > > b) real-time display by the agent when it computes a challenge > > c) limit the agent instance by number/rate of challenges > > d) limit the agent instance by which hosts/identities it will > compute challenges for (again assuming it knows which that is). > _______________________________________________ > sshmgmt mailing list > sshmgmt@ietf.org > https://www.ietf.org/mailman/listinfo/sshmgmt
- [Sshmgmt] Agent forwarding Simon Josefsson
- Re: [Sshmgmt] Agent forwarding peter
- Re: [Sshmgmt] Agent forwarding Tatu Ylonen