[ale] Do *not* use SSH Agent Forwarding if you can help it [was: Re: 300, 000 failed login attempts in 6 months!!!]
Pat Regan
thehead at patshead.com
Wed Aug 20 22:58:08 EDT 2008
Daniel Kahn Gillmor wrote:
> Agent forwarding is neat-o, and far better than storing private keys
> on a remote host.
>
Agreed, it means your credentials are only at any risk when you are
connected instead of all the time :).
> But you should *not* be using Agent Forwarding at all if you can avoid
> it: it exposes your agent to the uncertainties of a potentially
> compromised remote host. That is, if i compromise a host "foo", and
> you connect to "foo" with a forwarded agent (planning to use that to
> connect to host "bar"), i can automatically start making requests of
> your agent (thereby authenticating as you to whoever i want). You
> don't want that.
I haven't had a need to use agent forwarding in a few years. I probably
should have mentioned that if you are using agent forwarding that you
shouldn't use it for every connection. Put the -A on the command line
only if you are going to need it.
> A better approach is to use ProxyCommand hops, so that each connection
> is actually originating from your local machine.
>
> For example, if the machine "bar" is firewalled away behind "foo", you
> can get to foo from your local machine like this:
>
> ssh -oProxyCommand='ssh foo nc %h %p' bar
>
This is exciting! This is new to me. Do you know how new this is? My
non-exhausted search of google didn't seem to turn up pages more than a
year or two old for me.
Pat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20080820/22080384/attachment.bin
More information about the Ale
mailing list