Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh-agent: hardening #5753

Closed
wants to merge 3 commits into from
Closed

Conversation

glitsj16
Copy link
Collaborator

IMO there's nothing holding back making the (OpenSSH) authenticator agent profile very tight. Contrary to the SSH client its functionality is very limited and it doesn't need access to much of the file system.

etc/profile-m-z/ssh-agent.profile Outdated Show resolved Hide resolved
etc/profile-m-z/ssh-agent.profile Show resolved Hide resolved
notv
nou2f
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
nou2f

If anything, this would be the quintessential application that uses hardware
keys :p

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glitsj16 on Mar 25:

Not according to my observations no. Other parts of OpenSSH need that kind of
access, like ssh, ssh-add, ssh-copy-id, ssh-key{gen,scan}... The
authentication agent itself is kept 'dumb' on purpose (which is a good thing
security-wise). We don't have profiles (yet) for ssh-add and the others
mentioned.

Sorry, now that you mention it, the hardware keys might only be needed by
ssh-add, not ssh-agent (I'm not sure).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. But the way I read its man page (in this case more specifically the -P switch) it's actually ssh-add that needs u2f access, the agent only stores whatever is put in. Sadly I don't have access to hardware keys to properly test my assumptions. Does anyone on the collaborator team?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well that's the thing. I'm not sure either. Too many open-ended questions for comfort... Especially the points you refer to below, in combination with @rusty-snake's hint send me back to the drawing board :)

Copy link
Collaborator

@kmk3 kmk3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the following might be one reason that this is not currently hardened
too much:

From ssh-agent(1):

     command [arg ...]
             If a command (and optional arguments) is given, this is executed
             as a subprocess of the agent.  The agent exits automatically when
             the command given on the command line terminates.

     There are two main ways to get an agent set up.  The first is at the
     start of an X session, where all other windows or programs are started as
     children of the ssh-agent program.  The agent starts a command under
     which its environment variables are exported, for example ssh-agent xterm
     &.  When the command terminates, so does the agent.

     The second method is used for a login session.  When ssh-agent is
     started, it prints the shell commands required to set its environment
     variables, which in turn can be evaluated in the calling shell, for
     example eval `ssh-agent -s`.

     In both cases, ssh(1) looks at these environment variables and uses them
     to establish a connection to the agent.

That is, hardening ssh-agent could break running subcommands like in the
example:

ssh-agent xterm &

If that is a supported use-case, it might be better to only use firejail with
the subcommand.

Example:

/usr/bin/ssh-agent firejail /usr/bin/foo &

Or to remove ssh-agent from firecfg to ensure that the following works:

ssh-agent foo & # -> /usr/bin/ssh-agent firejail /usr/bin/foo &

@glitsj16 glitsj16 marked this pull request as draft March 25, 2023 09:04
@glitsj16
Copy link
Collaborator Author

Converted to draft. There are several important issues raised in review that need more testing. Thanks @kmk3 and @rusty-snake for their initial observations, remarks and questions. IMO we need to de-mystify our OpenSSH profiles/use cases. Could take some time though.

@glitsj16
Copy link
Collaborator Author

See #5751 for details on closing.

@glitsj16 glitsj16 closed this Mar 30, 2023
@glitsj16 glitsj16 deleted the harden-ssh-agent branch March 30, 2023 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants