Ssh – How to activate ssh-agent confirmation in MacOSX Leopard

agentforwardingmac-osxssh

I have a MacBook with MacOSX Leopard (10.6.2) and I use it to connect to some servers (their O.S. is Debian Lenny) using SSH. I use RSA keys to login to server A, and from there I "bounce" to other servers B, C and D. I have activated agent forwarding in my laptop's .ssh/config for server A in order to be able to connect to A and then "bounce" from A to B, C or D without having to type my password every time. It works fine.

But I read that agent forwarding has one security flaw: if a hacker gets root access on server A, he will be able to hijack the agent forwarding mechanism and connect to servers B, C and D without any password.

Apparently, one solution is to use ssh-add's -c option: it is supposed to ask me for confirmation every time server A wants to use my RSA key. But for some reason, it fails:

miniquark@mylaptop:~$ ssh-add -c
Enter passphrase for /Users/miniquark/.ssh/id_rsa: 
Identity added: /Users/miniquark/.ssh/id_rsa (/Users/miniquark/.ssh/id_rsa)
The user has to confirm each use of the key
miniquark@mylaptop:~$ ssh serverA
Agent admitted failure to sign using the key.
miniquark@serverA's password:

Normally, I don't need to launch ssh-add manually, since MacOSX does it for me automatically when I launch an ssh connection that requires an RSA key. So perhaps the solution would be to configure MacOSX to launch ssh-add with the -c option. Unfortunately, I just cannot find that option.

If you have any other idea that would protect me from agent forwarding hijacking, I would be very grateful.

Thank you.

Best Answer

The agent tries to run a helper program to prompt. On OS X this is not in place by default, so you'll need to provide one (at /usr/libexec/ssh-askpass). I'm currently using one similar to this:

#! /bin/sh  

#  
# An SSH_ASKPASS command for MacOS X  
#  
# Based on script by Joseph Mocker, Sun Microsystems


TITLE=${MACOS_ASKPASS_TITLE:-"SSH Agent"}  

DIALOG="display dialog \"$@\" buttons {\"Deny\", \"Allow\"} default button 2"
DIALOG="$DIALOG with title \"$TITLE\" with icon caution"  

result=`osascript -e 'tell application "Terminal"' -e "$DIALOG" -e 'end tell'`  

if [ "$result" = "button returned:Allow" ]; then
    exit 0 
else  
    exit 1  
fi

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Ssh – How to automate SSH login with password

Related Topic