Linux – Forwarding access to a subset of ssh-agent identitites

linuxSecurityssh

I work for two companies (let's call them RedCorp and BlueCorp). They both trust me but they don't trust each other, and I don't want to expose either's secrets to the other.

My laptop's ssh-agent has two private keys, one for access to each company. I can run:

ssh -A redcorp-server1

and access all of redcorp's other servers from there, by virtue of my forwarded agent connection.

Likewise, I can run:

ssh -A bluecorp-server1

and access all of bluecorp's other servers from there.

The problem is that whenever I'm logged into redcorp-server1, the root user there can set his $SSH_AUTH_SOCK to point at my forwarded agent connection, and abuse my other identity to break into BlueCorp.

How can I prevent that?

ssh's IdentitiesOnly option doesn't do what I want. That only controls which key I offer when authenticating to redcorp-server1; it doesn't change the fact that my forwarded agent connection allows an ssh process on redcorp-server1 to authenticate using any of my identities.

The only solution I've found is to run two separate ssh-agents, and only load one key into each of them. That's a huge pain though: There's no way for an ssh_config stanza to specify which of my agents I should use when connecting to a given host. Instead I've had to make shell aliases on my laptop for each of the two corps which point $SSH_AUTH_SOCK to the right agent before running ssh. Also, I use rsync and a dozen other tools which use ssh as a transport, and each of them has to be configured using a different syntax to make it invoke ssh in this special way.

Is there a better way to do this?

Best Answer

I implemented an ssh-agent-filter for myself, use it with:

$ afssh -c id_bluecorp -- server1.bluecorp.com
$ afssh -c id_bluecorp -- server2.bluecorp.com
$ afssh -c id_redcorp -- server42.redcorp.com

It's already in Debian (and Ubuntu).

Related Topic