[ale] Do *not* use SSH Agent Forwarding if you can help it [was: Re: 300, 000 failed login attempts in 6 months!!!]

Pat Regan thehead at patshead.com
Wed Aug 20 22:58:08 EDT 2008


Daniel Kahn Gillmor wrote:
> Agent forwarding is neat-o, and far better than storing private keys
> on a remote host.
> 

Agreed, it means your credentials are only at any risk when you are
connected instead of all the time :).

> But you should *not* be using Agent Forwarding at all if you can avoid
> it: it exposes your agent to the uncertainties of a potentially
> compromised remote host.  That is, if i compromise a host "foo", and
> you connect to "foo" with a forwarded agent (planning to use that to
> connect to host "bar"), i can automatically start making requests of
> your agent (thereby authenticating as you to whoever i want).  You
> don't want that.

I haven't had a need to use agent forwarding in a few years.  I probably
should have mentioned that if you are using agent forwarding that you
shouldn't use it for every connection.  Put the -A on the command line
only if you are going to need it.

> A better approach is to use ProxyCommand hops, so that each connection
> is actually originating from your local machine.
> 
> For example, if the machine "bar" is firewalled away behind "foo", you
> can get to foo from your local machine like this:
> 
>  ssh -oProxyCommand='ssh foo nc %h %p' bar
> 

This is exciting!  This is new to me.  Do you know how new this is?  My
non-exhausted search of google didn't seem to turn up pages more than a
year or two old for me.

Pat

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20080820/22080384/attachment.bin 


More information about the Ale mailing list