Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
A reverse-forwarding ssh-agent
Shell
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
LICENSE
README
rssh-agent
rssh-agent-profile.sh
rssh-agentd
rssh-agentd-init

README

Purpose:
----------------------------------------------------------------------------
Provide remote SSH agent forwarding. There are very obvious and known attacks against SSH agent forwarding. Quite simply, if a remote host is compromised, your key can be used to connect to arbitrary hosts. This can be quite serious if you manage multiple sites/deployments and keep all your keys in your local agent.

Using rssh-agent, you can keep a single corporate private SSH key. Your (trusted) users connect to an SSH host using their own keys, receiving access to a remote, managed ssh-agent.  The users do not have direct access to the remote private keys, only the agent socket.

Requirements:
----------------------------------------------------------------------------
* Bash
* socat (http://www.dest-unreach.org/socat/)

Usage:
----------------------------------------------------------------------------
Run rssh-agentd on remote server. Listens on localhost, port 222 by default.
If configured for a port higher than 1024, may be run as non-root.

 root$ rssh-agentd

Run rssh-agent on local client. Works similar to ssh-agent.

 someuser$ rssh-agent ssh root@remote-machine

This script can also be used to wrap other SSH-AGENT aware applications
such as 'scp' and 'sftp'.

BUGS:
----------------------------------------------------------------------------
Use of TCP is dangerous and insecure. Switching to Unix sockets would be a significant improvement. That said, it is relatively safe for a local daemon on an otherwise secure, single-purpose host.
Something went wrong with that request. Please try again.