A reverse-forwarding ssh-agent
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README
rssh-agent
rssh-agent-profile.sh
rssh-agentd
rssh-agentd-init

README

Purpose:
----------------------------------------------------------------------------
Provide remote SSH agent forwarding. There are very obvious and known attacks against SSH agent forwarding. Quite simply, if a remote host is compromised, your key can be used to connect to arbitrary hosts. This can be quite serious if you manage multiple sites/deployments and keep all your keys in your local agent.

Using rssh-agent, you can keep a single corporate private SSH key. Your (trusted) users connect to an SSH host using their own keys, receiving access to a remote, managed ssh-agent.  The users do not have direct access to the remote private keys, only the agent socket.

Requirements:
----------------------------------------------------------------------------
* Bash
* socat (http://www.dest-unreach.org/socat/)

Usage:
----------------------------------------------------------------------------
Run rssh-agentd on remote server. Listens on localhost, port 222 by default.
If configured for a port higher than 1024, may be run as non-root.

 root$ rssh-agentd

Run rssh-agent on local client. Works similar to ssh-agent.

 someuser$ rssh-agent ssh root@remote-machine

This script can also be used to wrap other SSH-AGENT aware applications
such as 'scp' and 'sftp'.

BUGS:
----------------------------------------------------------------------------
Use of TCP is dangerous and insecure. Switching to Unix sockets would be a significant improvement. That said, it is relatively safe for a local daemon on an otherwise secure, single-purpose host.