7

I have a MacBook with MacOSX Leopard (10.6.2) and I use it to connect to some servers (their O.S. is Debian Lenny) using SSH. I use RSA keys to login to server A, and from there I "bounce" to other servers B, C and D. I have activated agent forwarding in my laptop's .ssh/config for server A in order to be able to connect to A and then "bounce" from A to B, C or D without having to type my password every time. It works fine.

But I read that agent forwarding has one security flaw: if a hacker gets root access on server A, he will be able to hijack the agent forwarding mechanism and connect to servers B, C and D without any password.

Apparently, one solution is to use ssh-add's -c option: it is supposed to ask me for confirmation every time server A wants to use my RSA key. But for some reason, it fails:

miniquark@mylaptop:~$ ssh-add -c
Enter passphrase for /Users/miniquark/.ssh/id_rsa: 
Identity added: /Users/miniquark/.ssh/id_rsa (/Users/miniquark/.ssh/id_rsa)
The user has to confirm each use of the key
miniquark@mylaptop:~$ ssh serverA
Agent admitted failure to sign using the key.
miniquark@serverA's password: 

Normally, I don't need to launch ssh-add manually, since MacOSX does it for me automatically when I launch an ssh connection that requires an RSA key. So perhaps the solution would be to configure MacOSX to launch ssh-add with the -c option. Unfortunately, I just cannot find that option.

If you have any other idea that would protect me from agent forwarding hijacking, I would be very grateful.

Thank you.

MiniQuark
  • 3,695
  • 2
  • 20
  • 23
  • Why not just open a session to each target machine? That way you can have each connection in its own Terminal tab and avoid the security issue altogether. – John Gardeniers Feb 15 '10 at 12:19
  • 1
    I understand your point, but the problem is that I need to run some commands on server A which connect to servers B, C and D (backups, log comparisons...). Also, servers B, C and D are not on the Internet: I have to go through server A to reach them (for security reasons). – MiniQuark Feb 15 '10 at 14:10
  • If machine A is rooted, I wouldn't say the 'visitor' abusing your ssh-agent is the biggest problem. (Also, s/highjack/hijack/g) – user1686 Feb 15 '10 at 20:49
  • Yes, if A is rooted, things are pretty bad. Perhaps you're right, and it's a bit overkill to try and configure agent forwarding confirmation on my MacBook. But if it's as simple as adding a line or two in some hidden configuration file, it probably won't hurt. I was just hoping someone knew how to make it work on MacOSX (knowing that it works fine in Debian Lenny). Anyway, thanks for the insight, and for the spelling hint. ;-) – MiniQuark Feb 15 '10 at 22:12

2 Answers2

4

The agent tries to run a helper program to prompt. On OS X this is not in place by default, so you'll need to provide one (at /usr/libexec/ssh-askpass). I'm currently using one similar to this:

#! /bin/sh  

#  
# An SSH_ASKPASS command for MacOS X  
#  
# Based on script by Joseph Mocker, Sun Microsystems


TITLE=${MACOS_ASKPASS_TITLE:-"SSH Agent"}  

DIALOG="display dialog \"$@\" buttons {\"Deny\", \"Allow\"} default button 2"
DIALOG="$DIALOG with title \"$TITLE\" with icon caution"  

result=`osascript -e 'tell application "Terminal"' -e "$DIALOG" -e 'end tell'`  

if [ "$result" = "button returned:Allow" ]; then
    exit 0 
else  
    exit 1  
fi
Jeremy M
  • 819
  • 4
  • 10
0

Read this page http://jcs.org/notaweblog/2011/04/19/making_openssh_on_mac_os_x_more_secure/ for Joshua Stein's solution

huyz
  • 116
  • 1