Archive for December, 2008

SSH agent confirmation

Friday, December 19th, 2008

I am quite careful about how I use ssh agent forwarding, deciding how much I trust the remote host, only using it as needed, and putting my more sensitive keys in separate agents. There is still a risk as the superuser on the remote machine can connect through your auth socket and perform key operations.

I was thinking to myself how great it would be if I could confirm/deny each authentication attempt and as it turns out ssh-agent already supports this. From ssh-add(1)

-c      Indicates that added identities should be subject to confirmation
before being used for authentication.  Confirmation is performed
by the SSH_ASKPASS program mentioned below.  Successful confirma-
tion is signaled by a zero exit status from the SSH_ASKPASS pro-
gram, rather than text entered into the requester.

This requires a wrapper to use Xdialog although any program which is able to prompt and return an error code can be used. In ~/bin/ssh-yesno,

#!/bin/sh
Xdialog --wrap --title "ssh-agent" --yesno "$@" 0 0

I also added the environment variable above ssh-agent in ~/.xinitrc

export SSH_ASKPASS="/home/thompsa/bin/ssh-yesno"
eval `ssh-agent -s`
...

Lastly the keys need to be added with the -c option in order to prompt
ssh-add -c ~/.ssh/id_dsa

Now when I (or someone else) try to authenticate using the agent keys it pops up.