ProxyJump is more secure than SSH agent forwarding

The SSH jump server is the proxy between the client and the rest of the SSH fleet. Jump hosts minimize threats by forcing all SSH traffic through a single enhanced location and minimizing SSH endpoints on individual nodes to the outside world. (Read more: “How to set up an SSH jump server”)

One way to configure a multi-hop setup is to store the destination server’s private key on the jump server.Do Absent Do this. Jump servers are typically a multi-user environment. That is, a single party with elevated privileges can compromise the private key. The solution to this security threat is to enable agent forwarding. Given how common this method is, you may be surprised to find that it is not recommended. Let’s dig a little deeper to understand why.

[ Also on InfoWorld: Make life easy with ssh_config ]

How does agent transfer work?

ssh-agent is a key manager that exists as a separate program from SSH. (Read more: “How to manage SSH keys”) Keep the private key and certificate used for authentication in memory. It does not write to disk or export keys. Instead, the agent’s forwarding feature allows the local agent to reach over an existing SSH connection and authenticate with the remote server via an environment variable.

Basically, when the client-side SSH receives the key challenges, the agent forwards these challenges upstream to the local machine. Challenge-response is built over a locally stored private key and forwarded downstream to the destination server for authentication. (Read more: “Explanation of SSH Handshake”)

Behind the scenes, ssh-agent binds to Unix domain sockets to communicate with other programs ($SSH_AUTH_SOCK Environment variable). The problem is that anyone with root privileges somewhere in the chain can use the created socket to hijack the local ssh-agent. The socket files are well protected by the OS, but the root user can impersonate another user and point the SSH client at his malicious agent. In essence, agent-based transfers are the same as sharing a private key with everyone who has a root on a machine throughout the chain.

Copyright © 2021 IDG Communications, Inc.

ProxyJump is more secure than SSH agent forwarding

Source link ProxyJump is more secure than SSH agent forwarding

Related Articles

Back to top button