Enable discrete SSH Agents to avoid leaking access across hosts
- Anyone with root access on a remote host you have forwarded your SSH Agent to can use the agent socket to access any host you have authorized that key on and can eavesdrop on your ongoing session.
- Do not forward your SSH Agent. You do not need it to use
ProxyCommandto connect through bastion/jump hosts (orProxyJumpwith current versions of OpenSSH) - Use separate SSH Keys for different scopes (including read-only keys).
Accomplish this by either:
- Use
solo-agentto isolate keys when ForwardAgent is needed (ex. for remote version control operations) - Or install the SSH key pair (ex. for remote version control operations) on the remote host. This option is less secure, but also less complex.
- Use
- Install Homebrew -- The missing package manager for macOS
- Add the "tap":
brew tap TimidRobot/tap
- Install
solo-agent:brew install solo-agent
Alternatively, since solo-agent is a bash script without esoteric
dependencies, you can simply download it and ensure it is in your PATH.
If this utility is helpful for you, please star this project so that it can eventually be included in Homebrew proper. Thank you!
- Assumptions:
- You need to access GitHub from a host (
devhost) on which a third-party has root access - You have already created a SSH key pair for use with GitHub and added to your GitHub account as a read-only key
- The private key mentioned above is located on your laptop at:
~/.ssh/rsa_github_ro - You have cloned this repository to to your laptop. It is located at:
~/git/solo-agent - You have symlinked
solo-agentto~/bin/solo-agent
- You need to access GitHub from a host (
- At the top of your SSH configuration, put the Match exec that starts the
SSH agent:
Match exec "~/bin/solo-agent github_ro rsa_github_ro" - In the middle of your SSH configuration, put the
devhoststanza:Host devhost HostName devhost.example.com ForwardAgent Yes IdentityAgent ~/.ssh/solo-sock/github_ro - At the bottom of your SSH configuration, ensure the global
Host *stanza includes the following two options:Host * AddKeysToAgent no ForwardAgent no
When you ssh devhost with the configuration above, the following will happen:
- The Match directive in the include will execute
solo-agent. It will determine if there is already a valid socket symlinked from~/.ssh/solo-sock/github_ro:- If there is, it will ensure the specified key is loaded into that agent
- If not, it will start a new agent, create the symlink, and ensure the specified key is loaded into that agent
- The SSH connection to
devhostwill use the SSH Agent connected to the specified socket. Only the key(s) added to it will be available.- You can continue to authenticate to
devhostwith theIdentityFileof your choice without worry.
- You can continue to authenticate to
- OpenSSH 7.3 added
IdentityAgent:- macOS 10.13 High Sierra or later
- Red Hat Enterprise Linux 7 Update 4 or later
- Ubuntu 17.04 Zesty Zapus or later
- Either:
- GNU coreutils readlink
- Python
- Install discrete and properly scoped SSH key pairs on the remote host
- Managing multiple SSH agents - Wikitech
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent