Awesome
solo-agent
Enable discrete SSH Agents to avoid leaking access across hosts
SSH Agent Security Issues
ForwardAgent Issue
- Anyone with root access on a remote host you have forwarded your SSH Agent to can use the agent socket to access any host you have authorized that key on and can eavesdrop on your ongoing session.
ForwardAgent Resolution
- Do not forward your SSH Agent. You do not need it to use
ProxyCommand
to connect through bastion/jump hosts (orProxyJump
with current versions of OpenSSH) - Use separate SSH Keys for different scopes (including read-only keys).
Accomplish this by either:
- Use
solo-agent
to isolate keys when ForwardAgent is needed (ex. for remote version control operations) - Or install the SSH key pair (ex. for remote version control operations) on the remote host. This option is less secure, but also less complex.
- Use
Install
- Install Homebrew -- The missing package manager for macOS
- Add the "tap":
brew tap TimidRobot/tap
- Install
solo-agent
:brew install solo-agent
Alternatively, since solo-agent
is a bash script without esoteric
dependencies, you can simply download it and ensure it is in your PATH
.
If this utility is helpful for you, please star this project so that it can eventually be included in Homebrew proper. Thank you!
Using solo-agent
- Assumptions:
- You need to access GitHub from a host (
devhost
) on which a third-party has root access - You have already created a SSH key pair for use with GitHub and added to your GitHub account as a read-only key
- The private key mentioned above is located on your laptop at:
~/.ssh/rsa_github_ro
- You have cloned this repository to to your laptop. It is located at:
~/git/solo-agent
- You have symlinked
solo-agent
to~/bin/solo-agent
- You need to access GitHub from a host (
- At the top of your SSH configuration, put the Match exec that starts the
SSH agent:
Match exec "~/bin/solo-agent github_ro rsa_github_ro"
- In the middle of your SSH configuration, put the
devhost
stanza:Host devhost HostName devhost.example.com ForwardAgent Yes IdentityAgent ~/.ssh/solo-sock/github_ro
- At the bottom of your SSH configuration, ensure the global
Host *
stanza includes the following two options:Host * AddKeysToAgent no ForwardAgent no
Explanation
When you ssh devhost
with the configuration above, the following will happen:
- The Match directive in the include will execute
solo-agent
. It will determine if there is already a valid socket symlinked from~/.ssh/solo-sock/github_ro
:- If there is, it will ensure the specified key is loaded into that agent
- If not, it will start a new agent, create the symlink, and ensure the specified key is loaded into that agent
- The SSH connection to
devhost
will use the SSH Agent connected to the specified socket. Only the key(s) added to it will be available.- You can continue to authenticate to
devhost
with theIdentityFile
of your choice without worry.
- You can continue to authenticate to
Requirements
- OpenSSH 7.3 added
IdentityAgent
:- macOS 10.13 High Sierra or later
- Red Hat Enterprise Linux 7 Update 4 or later
- Ubuntu 17.04 Zesty Zapus or later
- Either:
- GNU coreutils readlink
- Python
Alternatives
- Install discrete and properly scoped SSH key pairs on the remote host
- Managing multiple SSH agents - Wikitech