Re: [PLUG] root and ssh-agent

[sean finney <seanius@seanius.net>]

hi jeff,

On Sat, Apr 24, 2004 at 09:35:44AM -0400, Jeff Abrahamson wrote:
> I wonder what smith does / has set up on machine-2?  So I su to smith
> and then type
> 
>   $ ps ewx|grep agent|tr ' ' '\n'|grep SSH_|sort -u | awk '{ print "export " $0; }
> 
> The output is some bash lines that I copy and paste into my shell.  (I
> could have done an eval, at the expense of already diminishing
> clarity.)  This gives me access to smith's existing ssh-agent process.

not completely.  you also need the ssh-agent socket, but if you have
root you can usually find that pretty easily too.

>     - This argues against using ssh-agent on anything but your own
>       machine where only you have root, or else on networks of
>       machines where root is the same everywhere.

it only argues against *forwarding* ssh-agent past the first hop.  if
you have ssh-agent installed, running, and loaded on machine a, you can
tell it to only authenticate from a->b, but not from b->anywhere.

from ssh_agent(5):

     ForwardAgent
             Specifies whether the connection to the authentication
             agent (if any) will be forwarded to the remote machine.
             The argument must be ``yes'' or ``no''.  The default is
             ``no''.

             Agent forwarding should be enabled with caution.  Users
             with the ability to bypass file permissions on the
             remote host (for the agent's Unix-domain socket) can
             access the local agent through the forwarded connec-
             tion.  An attacker cannot obtain key material from the
             agent, however they can perform operations on the keys
             that enable them to authenticate using the identities
             loaded into the agent.


>     - I'm describing this because I don't think this mechanism is
>       well-known among non-sysadmins and non-security people, which
>       means most people.

i'd agree there.

>     - This could be made more slick and harder to notice, no doubt.
>       For example, my first act on machine-2 might be to spawn a
>       subshell so that when I exit I have minimal impact on
>       ~/.history.  Etc.

well, hopefully you're not using that key anywhere you don't trust root :)


	sean

Attachment: signature.asc
Description: Digital signature