1 |
On 7/18/22 3:28 AM, J. Roeleveld wrote: |
2 |
> Either on the client where the agent is running, but also on the |
3 |
> system I connected to. |
4 |
|
5 |
I have always considered that there is enough sensitive data on the |
6 |
client and that there are already enough things running there that I end |
7 |
up considering the client a sensitive / secure system as a unit. This |
8 |
seems to be especially true with servers hosting automation. But to |
9 |
each their own. |
10 |
|
11 |
As for the security of the forwarded agent, I've generally been okay |
12 |
with root on the target system having access to the agent. Especial |
13 |
when I have used different key pairs for different destination hosts and |
14 |
/ or specify the from stanza in the authorized_keys file. |
15 |
|
16 |
If you want to, you can specify how long, in seconds, that a key can be |
17 |
used in an agent. So if you have a running agent, you can load a key |
18 |
and specify that it can be used for up to two seconds. So even if |
19 |
someone does compromise the target host and does talk to the agent, the |
20 |
agent won't allow the key to be used and will behave as if the key |
21 |
wasn't loaded. |
22 |
|
23 |
You can also lock / unlock the agent on the source side as you see fit. |
24 |
Unlock it for authentication, and then immediately re-lock it after |
25 |
authenticating. Local commands and / or a local process using ssh |
26 |
remote commands makes this more reasonable. |
27 |
|
28 |
Aside: Backgrounded / multiplexed connections make running multiple |
29 |
remote commands on a host a lot more expedient. |
30 |
|
31 |
1) Log in to the remote host with a background connection. |
32 |
2) Run multiple remote commands via "ssh <username>@<hostname> |
33 |
<command>" |
34 |
3) Log out of the remote host closing the background connection. |
35 |
|
36 |
The business logic of the script lives on the client and all the |
37 |
intermediate commands (#2) avoid the overhead of establishing a |
38 |
connection and authenticating again. |
39 |
|
40 |
> But, I just noticed the following, which is hopeful, but need to read |
41 |
> up on this: |
42 |
> |
43 |
> https://www.openssh.com/agent-restrict.html |
44 |
|
45 |
Interesting. More reading. |
46 |
|
47 |
> Agreed, which is why I always stop and think when I see that. |
48 |
|
49 |
;-) |
50 |
|
51 |
> Usually the answer is: "Oh, yes, I didn't access this host from my |
52 |
> laptop yet". But that is usually after the 2nd or 3rd connection |
53 |
> attempt with retyping the hostname and verifying the IP-address that |
54 |
> is resolved for it first. |
55 |
|
56 |
I think I mis-took a previous statement to mean that you did something |
57 |
to distribute the contents of the known_hosts file so that re-loads |
58 |
would already be known. I guess I misunderstood. |
59 |
|
60 |
|
61 |
|
62 |
-- |
63 |
Grant. . . . |
64 |
unix || die |