[mosh-devel] Secure agent forwarding with Mosh

Keith Winstein keithw at cs.stanford.edu
Wed Nov 8 23:55:55 EST 2017


Hi folks,

We developed a (prototype) tool that does secure agent forwarding and works
with Mosh. Would be grateful for testing and feedback:
https://github.com/StanfordSNR/guardian-agent

Compared with traditional ssh-agent forwarding, this tool provides
more-constrained agent forwarding that we think could safely be enabled on
any connection. It works alongside any version of Mosh or SSH. Users run
sga-guard (the agent) on their local machine, in a separate window
alongside the interactive session. sga-guard prompts the user to approve
forwarded ssh requests from the intermediary host, either with an X11 popup
or in that second terminal window. Unlike with ssh-agent forwarding, the
agent can enforce limits on which intermediary host can run which command
on which servers.

Based on feedback to this beta/prototype, maybe we can agree on a good way
to incorporate these techniques more deeply into Mosh. (Even if it's just a
mosh -A flag that sets this up automatically instead of needing a second
terminal window.)

There is a more detailed writeup in the README:
https://github.com/StanfordSNR/guardian-agent

We're grateful for feedback, whether about the usability of the tool, the
underlying mechanism, or the best way to make this smooth for Mosh users.

Thanks all,
the Guardian Agent developers (Dima Kogan, Henri Stern, David Mazieres,
Keith Winstein)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mosh-devel/attachments/20171108/affa3292/attachment.html


More information about the mosh-devel mailing list