Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- ssh-agent security questions
November 18, 2004, 6:12 pm
rate this thread
and off. I have made an effort over time to configure all of the
machines that I regularly login to with RsaAuthentication using my dsa
key. The SecureCRT client has, and I use, a key-agent. Recently I
have been reading that there are situations where running ssh-key
agent on non-trusted machines is a security risk and those discussions
have prompted me to ask the following question:
What security implications are there to running ssh-agent on my
trusted machine where I am connecting to trusted and non-trusted
machines on the network?
By connecting to a non-trusted machine, using my normal public key for
authentication and running ssh-agent, do I put my private key at risk
to a blackhat system operator? Is there a way that he could, by
reading the memory of his machine, gain access to my private key?
SecureCRT does not provide a mechanism to use ssh-agent for one
connection and not use it for another. I have tested connecting to
the non-trusted machines with both rsa-authentication and password
authentication and found that the key forwarding works in both cases.
Does this mean that my private key is "cached" on the remote
non-trusted machine or is the 2nd leg authentication handled through a
secure communication process back to my trusted client machine?
Thanks for any input.
- Richard E. Silverman
November 19, 2004, 7:01 am
Re: ssh-agent security questions
ekb> By connecting to a non-trusted machine, using my normal public
ekb> key for authentication and running ssh-agent, do I put my private
ekb> key at risk to a blackhat system operator? Is there a way that
ekb> he could, by reading the memory of his machine, gain access to my
ekb> private key?
Not directly, no. The agent never gives out private keys; the agent
protocol does not include such a request. It accepts requests like, "sign
this data with key foo," or "encrypt this data with key bar."
However, there are risks. Agent forwarding to a compromised host puts the
use of your private key at the disposal of an attacker for the duration of
the connection. He could connect to another host to which you have access
via public-key authentication. It should not give him the means to make
later connections, though, since the SSH userauth protocol is designed to
guarantee liveness; it requires the client to sign unpredictable data
which are bound to the current connection. Also, access to the agent
would allow chosen-plaintext attacks on your key.
Some agents have the feature of prompting the user each time a key is used
by some agent forwarding client (e.g. the OpenSSH agent with "ssh-add
-c"). This is a good feature to use if you're worried about agent
ekb> I have tested connecting to the non-trusted machines with both
ekb> rsa-authentication and password authentication and found that the
ekb> key forwarding works in both cases.
Agent forwarding is entirely separate from user authentication.
ekb> Does this mean that my private key is "cached" on the remote
ekb> non-trusted machine or is the 2nd leg authentication handled
ekb> through a secure communication process back to my trusted client
- » Problem getting beyond first machine with ssh and ssh-agent
- — Next thread in » Secure Shell Forum
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum