SSHenanigAgents
When usingForwardAgentwith SSH, the localssh-agentcan be used to authenticate connections from a remote systemjumphostto a third.Problems with this are
- that the forwarded connection to the local agent might be abused by
rooton the remote machine to login as the legitimate user on still other systems.- that the agent can hold more keys than the third system will accept, and tries them in a fixed order.
Problem 1 can be mitigated by adding the relevant keys with
ssh-add's-cOption, so that each use of the keys activates a dialog asking for permission.Trying to log into a third machine from
jumphostand getting the erroris the result of Problem 2. It happens when there are more than six keys added to the agent, and the relevant key for the third system is not in one of the first six.Too many authentication failuresIf the agent was used from the local machine, it would be sufficient to add a specific
IdentityFileand theIdentitiesOnly yesOption. But on the remote system there are no secret keys, because that was the whole point of the Agent Forwarding.ssh-add -llists all the keys in the agent, but there seems to be no way to specify which of those to use inssh third_system.A workaround that i discovered recently is running a second
ssh-agenton its ownSSH_AUTH_SOCK, adding the relevant keys for the remote system to just that agent, and forwarding only that agent's socket. It works like this:% mkdir /tmp/.another_ssh_sock % chmod 700 /tmp/.another_ssh_sock % ssh-agent -a /tmp/.another_ssh_sock/sock % env SSH_AUTH_SOCK=/tmp/.another_ssh_sock/sock ssh-add -c .ssh/the_key % cat << EOF >> .ssh/config Host jumphost ForwardAgent /tmp/.another_ssh_sock/sock EOFThe
-aOption ofssh-agentlets it listen on the givenUNIXsocket. TheForwardAgentallows to explicitly specify the socket to forward to the remote machine.If i want to connect directly to the third system from local, i can use the
IdentityAgentOption on my local.ssh/configto use the non-std agent:Host a_third_system IdentityAgent /tmp/.another_ssh_sock/sockThe lack of options to select forwarded keys on the
jumphostis a bit disappointing, but the tooling for running alternative agents is good enough for my scenario.
Thu, 13 Jun 2024
[/projects]
permanent link
