---

IBM developerWorks: OpenSSH key management, Part 3 (Agent forwarding and keychain improvements)

“In my last article, I’ve spent some time discussing
the security benefits and tradeoffs of running ssh-agent. A few
days after the second article appeared on developerWorks, I
received an e-mail from Charles Karney of Sarnoff Corporation, who
politely informed me of OpenSSH’s new authentication agent
forwarding abilities, which we’ll take a look at in a bit. In
addition, Charles emphasized that running ssh-agent on untrusted
machines is quite dangerous: if someone manages to get root access
on the system, then your decrypted keys can be extracted from
ssh-agent. Even though extracting the keys would be somewhat
difficult, it is within the skill of professional crackers. And the
mere fact that private key theft is possible means that we should
take steps to guard against it happening in the first place.

To formulate a strategy to protect our private keys, we must
first put the machines we access into one of two categories. If a
particular host is well-secured or isolated — making successful
root exploit against it quite unlikely — then that machine should
be considered a trusted host. If, however, a machine is used by
many other people or you have some doubts about the security of the
system, then the machine should be considered an untrusted host. To
guard your private keys against extraction, ssh-agent (and thus
keychain) should never be run on an untrusted host. That way, even
if the system’s security is compromised, there will be no ssh-agent
around for the intruder to extract keys from in the first
place.

However, this creates a problem. If you can’t run ssh-agent on
untrusted hosts, then how do you establish secure, passwordless ssh
connections from these systems? The answer is to only use ssh-agent
and keychain on trusted hosts, and to use OpenSSH’s new
authentication forwarding abilities to extend passwordless
authentication to any untrusted hosts. In a nutshell,
authentication forwarding works by allowing remote ssh sessions to
contact an ssh-agent running on a trusted system.”


Complete Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis