top | item 36790842

(no title)

willbicks | 2 years ago

I prefer using hardware tokens (in most cases a PKCS#11 smart card) because it means that even with a forwarded SSH agent, every request to use my private key requires a PIN on my client which is verified by the isolated cryptographic processor. It's impossible for my private key to leave that card and get cached anywhere else. While I haven't enabled it on my Yubikey I understand they can do similar.

The downside is that compatibility in edge cases, while much better than I'd expect, is still not perfect. In particular Windows support outside of Putty gets challenging.

discuss

gorkish|2 years ago

The RCE is related to ssh-agent's support for PKCS#11, so, yeah you are right this is a valid method to prevent key access or theft via the agent (I also have to approve every use of my PK), but in this case it's not protecting against the RCE, and the workaround in the meantime is to disable PKCS#11 `ssh-agent -P ''`

toast0|2 years ago

The other downside is it's much harder to do bulk operations against a fleet. It's not reasonable to enter a PIN for each access when you need to push something to 1000 nodes. 100 nodes is probably ok, but not great.

throwawaaarrgh|2 years ago

or you could just use the -c option to ssh-add and be prompted every time the key is handed over

gunapologist99|2 years ago

That won't save you for this RCE!

themoonisachees|2 years ago

It will save his keys though. It's a start.

aidenn0|2 years ago

ssh-agent forwarding does have some use cases with hardware keys. However, most people aren't using hardware keys.