[mosh-devel] About mosh + ssh-agent forwarding support

Keith Winstein keithw at MIT.EDU
Thu Nov 22 00:01:30 EST 2012 

Timo, thanks for your thoughtful email.

My concern with SSH agent forwarding is that the protocol seems pretty
bare. I don't think the local agent really gets enough information to
evaluate whether it should grant a request. In OpenSSH, there seems to
be no way for the ssh-agent to learn (a) which host is making the
request (b) what foreign host they want to authenticate to or (c) what
command they want to run on that foreign host.

Unless the user is religious about using ssh-agent -c (to get explicit
confirmation) and somehow makes a lot of separate identity files for
different target hosts and commands and keeps these privileges
separated, the system seems inherently insecure. In the more common
case where the user only has one identity file and doesn't use
ssh-agent -c, it's almost as bad as simply copying the private key
over to the intermediary host (in that a compromised intermediary can
use its temporary access to the agent to insert itself in every
authorized_keys file the user has access to).

A lot of users seem to use ssh-agent forwarding just so they can make
a secure connection to a foreign host through an intermediate host.
For this kind of use, I would rather have them not trust the
intermediary at all, as anything other than a proxy for crypted
datagrams. A colleague (Austin Clements) suggested the idea that you
could just type "mosh server --via intermediary.host" and it would set
up a proxied connection that doesn't trust the intermediary.

Now, if the world is demanding ssh-agent forwarding, I guess there is
no fundamental reason we can't do that too. But it does seem like the
protocol just doesn't convey enough information for the local agent
(or user) to make an intelligent decision whether to grant the
request. Maybe we can make the users type "mosh
--insecure-ssh-agent-forwarding-watch-out server" but I'm guessing
this is not going to make them that happy. :-)

-Keith

On Thu, Nov 1, 2012 at 11:59 PM, Keith Winstein <keithw at mit.edu> wrote:
> Timo (one of the SSH authors) sent me this and we thought it might be better
> to discuss on the list.
>
>
> ---------- Forwarded message ----------
> From: Timo J. Rinne <tri at iki.fi>
> Date: Wed, Oct 31, 2012 at 4:39 PM
> Subject: About mosh + ssh-agent forwarding support
> To: keithw at mit.edu
>
>
> Hi
>
> Just got interested in mosh.  What a great software and what a great
> effort in server side terminal emulation!  However, I think today's main
> uses for terminal connections are different admin tasks and different
> development tasks.  And typical for both uses is that the user wants to
> log in to other systems (e.g. ssh/scp/git ...) and typically these
> commands need authentication and security aware people typically store
> their authentication keys in the machines they use hands on rather than
> in a large number servers here or there.  That's what makes ssh-agent
> interesting.
>
> I know there are several people that would be happy to see agent
> forwarding appear in mosh.  I haven't had opportunity to look into mosh
> source code more closely, but still I'd imagine it couldn't be that much
> of a problem, because much of the problems apparent in generic channel
> forwarding can just be forgotten (mainly i think channel based buffering
> + windowing + flow control that is a major pain in ssh). Also
> performance is not an issue. The amount of data is in the magnitude of
> kilobyte in one agent connection and it really doesn't matter whether
> the authentication takes 10ms or 250ms.
>
> I've personally implemented the agent forwarding for commercial version
> of ssh (the original one by SSH Communications Security Corp.) and might
> be able to help with this one too so that the obvious caveats are avoided.
>
> I don't know how much you know a about the agent, but basically there is
> very little mosh needs to know about it and it surely don't have to know
> anything about the agent protocol. Actually if you run ssh-agent in your
> local system, it opens a local socket in user owned subdirectory under
> /tmp and sets environment variable SSH_AGENT_SOCK to point to that
> listener and passes that environment to a shell (or X session) that is
> going to be executed.  Then whenever an application wants to access
> ssh-agent, it connects to the local listener, lists the keys available,
> and requests the cryptographic operation to be executed for one of the
> keys and then gets the result.  The result is then used in ssh
> authentication.  Agent forwarding is nothing more than a method for ssh
> client to request the server to open ssh agent socket listener and
> forward all incoming connections to that listener upstream via existing
> ssh connection back to the client so that the client can then forward
> the connection to local agent listener. Naturally these forwards can be
> chained, because apart from delay, there is no difference between local
> and forwarded agent connection.
>
> In case of mosh there are a few additional things to consider, because
> the connection can be broken and then re-established, but actually they
> are quite minor.
>
> 1) The server must be aware that agent forwarding is going to be used
> before it spawns the user shell, because it must open the socket
> listener and set SSH_AGENT_SOCK environment variable accordingly.
>
> 2) If the connection is down, the listener must still work, but
> naturally what it should do, is to accept connections but immediately
> close them.  Other more elaborate alternative would be to code to the
> mosh server the ability to tell to the connection that no keys are
> currently available (using ssh agent protocol), but I don't really see
> much point in it.
>
> 3) If the connection goes down while the agent connection is ongoing, it
> must close the active agent connection, but still leave the listener
> active, so that subsequent connections can be handled (closed if the
> connection is down, or forwarded again when the connection is revived).
>
> I've been using mosh only so that the client is running all the time. I
> don't know if it's actually possible to kill the client and somehow
> start another one and connect to existing connection (using some magic
> cookie key or something).  But if this is (or will be) the case, then of
> course also new client invocation must be aware that the server can send
> agent forwarding requests. Actually I think that in that kind of
> scenario, the new client instance must be told whether to allow agent
> forwarding or not (just like the initial one too) and if the initial one
> allowed those and the new one doesn't, then agent forwarding requests
> passed from the server are just denied and the server in its turn just
> closes the agent connection.  Then again it might be possible to replace
> the second client with the third one again allowing forwarding which
> would make the agent forwards to go through again.  The other way it's
> not possible. If the initial mosh connection is opened so that the
> server doesn't set SSH_AUTH_SOCK environment variable, it's not possible
> (in any practical way) to set up forwarding using that server.
>
> Random thoughts, should you be interested about further information, I'm
> more than happy to help.  I may also help with some code but I'm quite
> busy with other stuff at the moment.  I can however promise to
> contribute the local domain socket stuff if someone else does the
> required channel stuff (I don't know if mosh has some channel concept
> already in the protocol) and upstream connection requests etc.
>
> Best regards,
> --
> Timo J. Rinne <tri at iki.fi>
>

More information about the mosh-devel mailing list