A colleague asked me about my SSH setup, which uses different SSH agents for each set of keys that I use (I tend to use a different keypair for each client I work with) and also makes ssh-agent confirm with me each time a key is used.
What's the point of all that? Because it's trivially easy to take over someone else's SSH agent if you have root on a box they're forwarding to:
$ ssh-add -l
1024 c7:ba:59:92:98:40:f4:53:75:e3:7f:03:fc:0e:3b:bd /Volumes/key/ssh/id_dsa-zomo-bbc (DSA)
$ sudo -i
# ls -ld /tmp/ssh-*
drwx------ 2 victim admins 4096 Aug 27 16:20 /tmp/ssh-bsKJhM8501
drwx------ 2 me admins 4096 Sep 1 09:25 /tmp/ssh-NpAJW14419
# SSH_AUTH_SOCK=/tmp/ssh-bsKJhM8501/agent.8501 ssh-add -l
1024 7a:0a:df:bb:ab:cd:af:e1:04:97:cd:05:34:8c:b4:68 /home/victim/.ssh/id_dsa (DSA)
By setting SSH_AUTH_SOCK to their agent's forwarding socket you can gain use of their agent for onward logins. Laws may apply.
Update: To be clear, the victim and the attacker here are both logged onto a remote host over SSH and using SSH agent forwarding. This isn't a discussion of the risks of someone having root privilege on a machine where your SSH agent process runs (and your private SSH keys reside).
To mitigate this risk, I use a collection of scripts that do two things
- Run different SSH agents for different keys, so that a compromised agent has only limited use (eg: root on client A's hosts can't use it access client B's hosts).
- Require ssh-agent to prompt for confirmation before it uses a key, so that a compromised agent stands less chance of being exploited (if I'm away or I decline the request then nothing happens).
They're here: http://github.com/zomo/ssh-bits. No points for elegance, but they scratch the itch.