Andrei Popescu wrote:
> Paul E Condon wrote:
> > It seems that it is not run when I log into a host using ssh or more
> > exactly its pid is not exported to an ssh login process. Could I add
> > something to the .profile script?
>
> Maybe 'ForwardAgent' is what you are looking for. See ssh(1) and
> ssh_config(5).
Agreed. Or use 'ssh -A' to try it first. But note carefully the
warning in the documentation.
-A Enables forwarding of the authentication agent connection. This
can also be specified on a per-host basis in a configuration
file.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's UNIX-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
Let me interpret. You sit on your desktop. You log into a remote
host. By adding 'ssh -A' (or ForwardAgent) your ssh-agent from your
desktop will be forwarded over the ssh tunnel to this host. Any
further ssh connections will daisy chain back to your desktop's
agent. If you keep adding -A you can push this agent forwarding as
far as you want through as many hops as you want.
But here is the danger. Root on those machines will also have access
to your agent. Root on those machines may use your agent to log into
any site that you have access to using your agent. This is because
the unix filesystem permissions are used to protect the unix domain
socket (which is simply a file, a special file). See this:
$ ls -ld $SSH_AUTH_SOCK
srw------- 1 rwp rwp 0 Jan 29 13:35 /tmp/ssh-oxkwSE1955/agent.1955
The unix filesystem permissions keep users other than yourself from
accessing that connection. But the root superuser has no such
restriction.
If I were to log into your machine and forward my agent that would
mean that you as root on your system could attach to my agent and then
use my agent to log back into any of my server machines. Or use it to
connect to another different set of third party machines. Anything my
agent has access to the root user on the remote machine also has
access.
That is why forwarding should be done with caution. It isn't a don't
ever do it. It is an understand what it is doing before doing it.
There are some cool techniques that can be used to mitigate the risk
in certain situations. Using 'keychain' for example and creating a
local lan use key on the remote machine.
Bob
Attachment:
signature.asc
Description: Digital signature