[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri Feb 24 18:43:15 2006
From: raju at linux-delhi.org (Raj Mathur)
Subject: Tech Tip: An Illustrated Guide to SSH Agent
Forwarding
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Andrew" == Andrew McGill <andrew2005@...ge.co.za> writes:
Andrew> Here's something you missed in the "Cons" section of agent
Andrew> forwarding:
Andrew> lala@...al: ssh-add lala@...al: (enter key) lala@...al:
Andrew> ssh -A customer
Andrew> lala@...tomer: ssh remote
Andrew> lala@...ote: sleep 86400
Andrew> And while you are sleeping: root@...tomer does this:
Andrew> export SSH_AUTH_SOCK=`find /tmp -user lala -name 'agent.*'
Andrew> | head -1` ssh-copy-id lala@...ote ssh-copy-id lala@...al
Andrew> ssh-copy-id lala@...ercustomer ssh-copy-id lala@...aland
Andrew> (Oops) (that's a lot easier than subverting ssh to insert
Andrew> something evil into the stream that will hack into the
Andrew> remote)
Andrew> If there are untrusted machines involved you may prefer
Andrew> this:
Andrew> ssh-add -c
Andrew> Note that ssh-agent does not identify the origin of
Andrew> requests for authentication (a bug?), so its confirmation
Andrew> is not fail-safe.
You can also add in the Pros of using key-based authentication:
If you have multiple administrators for a server farm, grant them only
key-based authentication. Then when an administrator leaves the
company (or is redeployed within the organisation), you only need to
delete her key from authorized_keys and she's immediately locked out
of the servers. The older method was to change the password on each
server (painful) and communicate the batch of new passwords to the
remaining administrators (insecure).
Regards,
- -- Raju
- --
Raj Mathur raju@...dalaya.org http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFD/1O1yWjQ78xo0X8RAmSNAJ0SeYBaLi4MTdUalq7bzrgTNR3uDgCdHksG
h9M/d2puAYt6QFqjcvAEaew=
=kBYi
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists