| 1 |
On 7/18/22 3:28 AM, J. Roeleveld wrote: |
| 2 |
> Either on the client where the agent is running, but also on the |
| 3 |
> system I connected to. |
| 4 |
|
| 5 |
I have always considered that there is enough sensitive data on the |
| 6 |
client and that there are already enough things running there that I end |
| 7 |
up considering the client a sensitive / secure system as a unit. This |
| 8 |
seems to be especially true with servers hosting automation. But to |
| 9 |
each their own. |
| 10 |
|
| 11 |
As for the security of the forwarded agent, I've generally been okay |
| 12 |
with root on the target system having access to the agent. Especial |
| 13 |
when I have used different key pairs for different destination hosts and |
| 14 |
/ or specify the from stanza in the authorized_keys file. |
| 15 |
|
| 16 |
If you want to, you can specify how long, in seconds, that a key can be |
| 17 |
used in an agent. So if you have a running agent, you can load a key |
| 18 |
and specify that it can be used for up to two seconds. So even if |
| 19 |
someone does compromise the target host and does talk to the agent, the |
| 20 |
agent won't allow the key to be used and will behave as if the key |
| 21 |
wasn't loaded. |
| 22 |
|
| 23 |
You can also lock / unlock the agent on the source side as you see fit. |
| 24 |
Unlock it for authentication, and then immediately re-lock it after |
| 25 |
authenticating. Local commands and / or a local process using ssh |
| 26 |
remote commands makes this more reasonable. |
| 27 |
|
| 28 |
Aside: Backgrounded / multiplexed connections make running multiple |
| 29 |
remote commands on a host a lot more expedient. |
| 30 |
|
| 31 |
1) Log in to the remote host with a background connection. |
| 32 |
2) Run multiple remote commands via "ssh <username>@<hostname> |
| 33 |
<command>" |
| 34 |
3) Log out of the remote host closing the background connection. |
| 35 |
|
| 36 |
The business logic of the script lives on the client and all the |
| 37 |
intermediate commands (#2) avoid the overhead of establishing a |
| 38 |
connection and authenticating again. |
| 39 |
|
| 40 |
> But, I just noticed the following, which is hopeful, but need to read |
| 41 |
> up on this: |
| 42 |
> |
| 43 |
> https://www.openssh.com/agent-restrict.html |
| 44 |
|
| 45 |
Interesting. More reading. |
| 46 |
|
| 47 |
> Agreed, which is why I always stop and think when I see that. |
| 48 |
|
| 49 |
;-) |
| 50 |
|
| 51 |
> Usually the answer is: "Oh, yes, I didn't access this host from my |
| 52 |
> laptop yet". But that is usually after the 2nd or 3rd connection |
| 53 |
> attempt with retyping the hostname and verifying the IP-address that |
| 54 |
> is resolved for it first. |
| 55 |
|
| 56 |
I think I mis-took a previous statement to mean that you did something |
| 57 |
to distribute the contents of the known_hosts file so that re-loads |
| 58 |
would already be known. I guess I misunderstood. |
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
-- |
| 63 |
Grant. . . . |
| 64 |
unix || die |
Archives