ssh private keys on our systems

Till Maas opensource at till.name
Fri Oct 7 18:01:00 UTC 2011


On Fri, Oct 07, 2011 at 09:30:00AM -0600, Kevin Fenzi wrote:

> One possible compromise: go ahead and use ssh agent forwarding, but
> after you login, do a 'ssh-add -D' to drop all your keys. Then, when/if
> you need to make a copy connection it should ask for your passphrase to
> unlock the key again. If someone tries to hyjack your agent connection,
> you would see the request to unlock the key and could reject it.

To eliminate the race condition after login, the necessary key could be
added with "ssh-add -c". This makes the agent ask for confirmation
before using a key for authentication.

Kind regards
Till


More information about the infrastructure mailing list