Home

Awesome

solo-agent

Enable discrete SSH Agents to avoid leaking access across hosts

SSH Agent Security Issues

ForwardAgent Issue

ForwardAgent Resolution

Install

  1. Install Homebrew -- The missing package manager for macOS
  2. Add the "tap":
    brew tap TimidRobot/tap
    
  3. Install solo-agent:
    brew install solo-agent
    

Alternatively, since solo-agent is a bash script without esoteric dependencies, you can simply download it and ensure it is in your PATH.

If this utility is helpful for you, please star this project so that it can eventually be included in Homebrew proper. Thank you!

Using solo-agent

  1. Assumptions:
    • You need to access GitHub from a host (devhost) on which a third-party has root access
    • You have already created a SSH key pair for use with GitHub and added to your GitHub account as a read-only key
    • The private key mentioned above is located on your laptop at: ~/.ssh/rsa_github_ro
    • You have cloned this repository to to your laptop. It is located at: ~/git/solo-agent
    • You have symlinked solo-agent to ~/bin/solo-agent
  2. At the top of your SSH configuration, put the Match exec that starts the SSH agent:
    Match exec "~/bin/solo-agent github_ro rsa_github_ro"
    
  3. In the middle of your SSH configuration, put the devhost stanza:
    Host devhost
        HostName devhost.example.com
        ForwardAgent Yes
        IdentityAgent ~/.ssh/solo-sock/github_ro
    
  4. At the bottom of your SSH configuration, ensure the global Host * stanza includes the following two options:
    Host *
        AddKeysToAgent no
        ForwardAgent no
    

Explanation

When you ssh devhost with the configuration above, the following will happen:

  1. The Match directive in the include will execute solo-agent. It will determine if there is already a valid socket symlinked from ~/.ssh/solo-sock/github_ro:
    • If there is, it will ensure the specified key is loaded into that agent
    • If not, it will start a new agent, create the symlink, and ensure the specified key is loaded into that agent
  2. The SSH connection to devhost will use the SSH Agent connected to the specified socket. Only the key(s) added to it will be available.
    • You can continue to authenticate to devhost with the IdentityFile of your choice without worry.

Requirements

Alternatives

License