Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree with everything except using ssh-agent to forward the key. The reason is that if that one server is compromised, the root user can forward your credentials to any other server that you have access to and if it is set up the same way, also get root there. If you use password for sudo authentication on that machine, they have your password but still don't have your credentials to get into the other server. Reference: http://unixwiz.net/techtips/ssh-agent-forwarding.html


I believe it is possible to set up ssh-agent to ask you locally if you want to respond to a challenge, listing the machine that requested it.

In either case, unless you use different passwords for every machine, ssh-agent is already a net gain.


Unfortunately it doesn't list the machine that requested it. It's only possible to tell what local process connected to the agent and login as what username will be authenticated (the packet that the agent signs contains essentially the username and hash of session secrets; notably absent is the target hostname and target's public key fingerprint).


You can specify '-c' to require interactive confirmation from the agent before signing the key, but not all ssh agents (gnome's keyring, for a prominent example) support this, and will silently ignore it.


Finally set this up on my Mac. Found the scripts at https://github.com/TimZehta/mac-ssh-confirm and modified them to my needs. Works pretty well so far, and I believe this should make things a bit more secure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: