Onion Information

Page Clicks: 0

First Seen: 03/11/2024

Last Indexed: 10/21/2024

Domain Index Total: 195

ssh-agent was in the news recently due to the matrix.org compromise . The main takeaway from that incident was that one should avoid the ForwardAgent (or -A ) functionality when ProxyCommand can do and consider multi-factor authentication on the server-side, for example using libpam-google-authenticator or libpam-yubico . That said, there are also two options to ssh-add that can help reduce the risk of someone else with elevated privileges hijacking your agent to make use of your ssh credentials. Prompt before each use of a key The first option is -c which will require you to confirm each use of your ssh key by pressing Enter when a graphical prompt shows up. Simply install an ssh-askpass frontend like ssh-askpass-gnome : apt install ssh-askpass-gnome and then use this to when adding your key to the agent: ssh-add -c ~/.ssh/key Automatically removing keys after a timeout ssh-add -D will remove all identities (i.e. keys) from your ssh agent, but requires that you remember to run it manually once you're done. That's where the second option comes in. Specifying -t when adding a key will automatically remove that key from the agent after a while. For example, I have found that this setting works well at work: ssh-add -t 10h ~/.ssh/key where I don't want to have to type my ssh password everytime I push a git branch. At home on the other hand, my use of ssh is more sporadic and so I don't mind a shorter timeout: ssh-add -t 4h ~/.ssh/key Making these options the default I couldn't find a configuration file to make these settings the default and so I ended up putting the following line in my ~/.bash_aliases : alias ssh-add='ssh-add -c -t 4h' so that I can continue to use ssh-add as normal and have not remember to include these extra options. RSS Atom The -c option is a great recommendation, but I've been trying out https://github.com/StanfordSNR/guardian-agent and I like it even better; it gives you much more information about what is happening: which computer is asking for permission, which key they want to use, what server they're going to connect to, and what command they want to run using it. You can make a much more informed decision, and you can save those decisions so that you only have to decide for novel situations. Also, the ProxyJump command is much nicer than ProxyCommand, but also newer. It's easier to use and harder to misuse. Add a comment