Mailing List Archive

ability to select which identity to forward when using "ForwardAgent" ?
Hi,

I usually have around 10 identities loaded in my local ssh-agent and when I
use the "ForwardAgent" option all them are forwarded to the remote server,
which is not ideal. I usually only need to forward one (or two) of the
identities and I would like to be able to choose which one(s) to forward.

Looking for solutions it seems that the only option is to create a new
ssh-agent, add the required identities and then do the forwarding as
described in https://serverfault.com/a/1012678 but this is not very
convenient for daily usage mainly when I need to connect to many different
servers and all my private keys are password protected.

I have also found an external tool to do it (
https://github.com/tiwe-de/ssh-agent-filter ) but this tool doesn't seem to
be actively maintained and a native openssh functionality would be
preferred.

Ideally it would be great to be able to add something like this to my
~/.ssh/config ( option "IdentitiesToForward" in this example doesn't exist
and it's what I am missing)

Host myserver
Hostname myserver.com
IdentityFile ~/.ssh/id_ed25519
ForwardAgent yes
IdentitiesToForward ~/.ssh/id_ed25519,~/.ssh/id_rsa

Do you think this feature or any alternative providing similar
functionality could be added to openssh?

Or is there any existing alternative to do it which I missed checking the
docs?

thanks in advance for any help or advice.
best regards,
Pablo.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
On 10/4/20 1:20 PM, Pablo Escobar wrote:
[snip]> I usually have around 10 identities loaded in my local ssh-agent
and when I
> use the "ForwardAgent" option all them are forwarded to the remote server,
> which is not ideal. I usually only need to forward one (or two) of the
> identities and I would like to be able to choose which one(s) to forward.
[snip]

One work-around [1] is to use an alias.

alias assh="ssh-agent ssh -o AddKeysToAgent=confirm \
-o ForwardAgent=yes"

That approach will still respect what's in ssh_config(5) except for the
two options it overrides.

/Lars

[1] https://vincent.bernat.ch/en/blog/2020-safer-ssh-agent-forwarding
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
On Sun, 4 Oct 2020, Pablo Escobar wrote:

> Hi,
>
> I usually have around 10 identities loaded in my local ssh-agent and when I
> use the "ForwardAgent" option all them are forwarded to the remote server,
> which is not ideal. I usually only need to forward one (or two) of the
> identities and I would like to be able to choose which one(s) to forward.
>
> Looking for solutions it seems that the only option is to create a new
> ssh-agent, add the required identities and then do the forwarding as
> described in https://serverfault.com/a/1012678 but this is not very
> convenient for daily usage mainly when I need to connect to many different
> servers and all my private keys are password protected.
>
> I have also found an external tool to do it (
> https://github.com/tiwe-de/ssh-agent-filter ) but this tool doesn't seem to
> be actively maintained and a native openssh functionality would be
> preferred.
>
> Ideally it would be great to be able to add something like this to my
> ~/.ssh/config ( option "IdentitiesToForward" in this example doesn't exist
> and it's what I am missing)
>
> Host myserver
> Hostname myserver.com
> IdentityFile ~/.ssh/id_ed25519
> ForwardAgent yes
> IdentitiesToForward ~/.ssh/id_ed25519,~/.ssh/id_rsa
>
> Do you think this feature or any alternative providing similar
> functionality could be added to openssh?

Yes, I have been working on better control over what gets forwarded but
not quite what you have here. Generally, I don't want to implement in
ssh fine-grained control over which keys are offered for agent forwarding
because that would force ssh into a much more trusted role in agent key
handling than it currently occupies.

Instead, I have some work-in-progress patches that let ssh-add mark a key
as "local only". These keys may be used for authentication by ssh but are
never forwarded. This lets users separate the two commingled roles of the
agent: 1) a handy place way to use private keys without having to type the
passphrase over and over and 2) a repository of keys that you want to
forward to remote hosts.

Patches are attached but be warned that are likely incomplete :)

-d
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
On Sun, Oct 4, 2020 at 1:37 PM Lars Noodén <lars.nooden@gmx.com> wrote:

> One work-around [1] is to use an alias.
>
> alias assh="ssh-agent ssh -o AddKeysToAgent=confirm \
> -o ForwardAgent=yes"
>
> That approach will still respect what's in ssh_config(5) except for the
> two options it overrides.
>

Thanks for the suggestion. In a quick test the two drawbacks I found with
this approach are:

1) As I start a new agent I have to type the passwords for my private keys
again even if I already added them to my previously existing agent. When
using a bastion host with a different private key and the ssh option
"ProxyJump" or "ProxyCommand" this means typing two passwords.
2) bash autocomplete is not working when using an alias. I use autocomplete
a lot because I have few dozens of hosts entries in my ~/.ssh/config

In any case this seems the best alternative and I will use this approach by
now. I only wanted to mention the drawbacks I noticed in case this
information is useful for someone else.

Thanks for your advice.

regards,
Pablo.



>
> /Lars
>
> [1] https://vincent.bernat.ch/en/blog/2020-safer-ssh-agent-forwarding
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
On Sun, Oct 4, 2020 at 2:35 PM Damien Miller <djm@mindrot.org> wrote:

> On Sun, 4 Oct 2020, Pablo Escobar wrote:
>
> Instead, I have some work-in-progress patches that let ssh-add mark a key
> as "local only". These keys may be used for authentication by ssh but are
> never forwarded. This lets users separate the two commingled roles of the
> agent: 1) a handy place way to use private keys without having to type the
> passphrase over and over and 2) a repository of keys that you want to
> forward to remote hosts.
>
> Patches are attached but be warned that are likely incomplete :)
>

Thanks for your work on this topic. Indeed this seems a nice alternative
approach.

I don't feel confident enough to test incomplete openssh patches so I will
wait in case this is released at some point. I know it's not polite to ask
for release dates so I won't do it ;) but I will ask...do you expect to get
this patch merged upstream at some moment? I guess the right place to check
if this feature has been released would be
https://www.openssh.com/releasenotes.html , right? Or is there any pull
request somewhere which I can follow?

regards,
Pablo.




>
> -d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
On 10/4/20 5:04 PM, Pablo Escobar wrote:
> On Sun, Oct 4, 2020 at 1:37 PM Lars Noodén <lars.nooden@gmx.com> wrote:
>
>> One work-around [1] is to use an alias.
>>
>> alias assh="ssh-agent ssh -o AddKeysToAgent=confirm \
>> -o ForwardAgent=yes"
>>
>> That approach will still respect what's in ssh_config(5) except for the
>> two options it overrides.
>>
>
> Thanks for the suggestion. In a quick test the two drawbacks I found with
> this approach are:
>
> 1) As I start a new agent I have to type the passwords for my private keys
> again even if I already added them to my previously existing agent. When
> using a bastion host with a different private key and the ssh option
> "ProxyJump" or "ProxyCommand" this means typing two passwords.
> 2) bash autocomplete is not working when using an alias. I use autocomplete
> a lot because I have few dozens of hosts entries in my ~/.ssh/config
[snip]
A different work-around would be to script the launching of several
instances ssh-agent(1), a new one for each destination which uses agent
forwarding, each socket with a unique, pre-decided name desginated using
the -a option. That way the sockets would have predictable paths and
the ssh_config(5) entries could thus use the IdentityAgent directive to
point to the relevant socket for each destination.

It's a more complex work-around requiring a little scripting. However,
that way the agents would be more persistent and tab-completion should
continue to work.

/Lars
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
Pablo Escobar wrote:
> I usually have around 10 identities loaded in my local ssh-agent and when I
> use the "ForwardAgent" option all them are forwarded to the remote server,
> which is not ideal. I usually only need to forward one (or two) of the
> identities and I would like to be able to choose which one(s) to forward.

It may not always be sufficient, but remember that when you use
proxyjump (or equivalent proxycommand) then no agent forwarding is
used; all SSH process which authenticate execute only locally and
connect directly to your agent.

So agent forwarding is only /required/ when you run interactive shells
on intermediate remote hosts.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ability to select which identity to forward when using "ForwardAgent" ? [ In reply to ]
Do you know the ssh-option "IdentityAgent"?

Look in the man-pages.

I wrote in the last days some little scripts to automate all this...
inspired by ssh-ident (you can find on github).
I have to cleanup the code from some personalized stuff, then i can send
a github-link to this thread, where you can define and select easy which
identities are used for which connections.

I'm working with IdenityAgent and a Match-section in ~/.ssh/config


bye

jakob

Am 04.10.20 um 12:20 schrieb Pablo Escobar:
> Hi,
>
> I usually have around 10 identities loaded in my local ssh-agent and when I
> use the "ForwardAgent" option all them are forwarded to the remote server,
> which is not ideal. I usually only need to forward one (or two) of the
> identities and I would like to be able to choose which one(s) to forward.
>
> Looking for solutions it seems that the only option is to create a new
> ssh-agent, add the required identities and then do the forwarding as
> described in https://serverfault.com/a/1012678 but this is not very
> convenient for daily usage mainly when I need to connect to many different
> servers and all my private keys are password protected.
>
> I have also found an external tool to do it (
> https://github.com/tiwe-de/ssh-agent-filter ) but this tool doesn't seem to
> be actively maintained and a native openssh functionality would be
> preferred.
>
> Ideally it would be great to be able to add something like this to my
> ~/.ssh/config ( option "IdentitiesToForward" in this example doesn't exist
> and it's what I am missing)
>
> Host myserver
> Hostname myserver.com
> IdentityFile ~/.ssh/id_ed25519
> ForwardAgent yes
> IdentitiesToForward ~/.ssh/id_ed25519,~/.ssh/id_rsa
>
> Do you think this feature or any alternative providing similar
> functionality could be added to openssh?
>
> Or is there any existing alternative to do it which I missed checking the
> docs?
>
> thanks in advance for any help or advice.
> best regards,
> Pablo.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
lore ipsum

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev