SSH agent confirmation

I am quite careful about how I use ssh agent forwarding, deciding how much I trust the remote host, only using it as needed, and putting my more sensitive keys in separate agents. There is still a risk as the superuser on the remote machine can connect through your auth socket and perform key operations.

I was thinking to myself how great it would be if I could confirm/deny each authentication attempt and as it turns out ssh-agent already supports this. From ssh-add(1)

-c      Indicates that added identities should be subject to confirmation
before being used for authentication.  Confirmation is performed
by the SSH_ASKPASS program mentioned below.  Successful confirma-
tion is signaled by a zero exit status from the SSH_ASKPASS pro-
gram, rather than text entered into the requester.

This requires a wrapper to use Xdialog although any program which is able to prompt and return an error code can be used. In ~/bin/ssh-yesno,

#!/bin/sh
Xdialog --wrap --title "ssh-agent" --yesno "$@" 0 0

I also added the environment variable above ssh-agent in ~/.xinitrc

export SSH_ASKPASS="/home/thompsa/bin/ssh-yesno"
eval `ssh-agent -s`
...

Lastly the keys need to be added with the -c option in order to prompt
ssh-add -c ~/.ssh/id_dsa

Now when I (or someone else) try to authenticate using the agent keys it pops up.

One Response to “SSH agent confirmation”

  1. Robin Green says:

    In Fedora Linux, the ssh-agent is started for an X session in /etc/X11/xinit/xinitrc-common, which means that to set the SSK_ASKPASS variable, you can set it in ~/.profile (not to be confused with ~/.bash_profile!)

    I used the following script there, since I’m a KDE person:

    #! /bin/bash -eup
    exec kdialog –warningyesno ‘Use SSH key?’

Leave a Reply