Comments on: SSH Agent Forwarding http://www.danielhall.me/2009/08/ssh-agent-forwarding/ Because the Internet doesn't have enough opinions already Tue, 13 Jul 2010 11:53:34 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Mark Johnson http://www.danielhall.me/2009/08/ssh-agent-forwarding/comment-page-1/#comment-630 Mark Johnson Sat, 06 Mar 2010 06:37:18 +0000 http://www.danielhall.me/?p=160#comment-630 Thanks for this post, answers a bunch of questions I was having. Thanks for this post, answers a bunch of questions I was having.

]]> By: Daniel http://www.danielhall.me/2009/08/ssh-agent-forwarding/comment-page-1/#comment-45 Daniel Sat, 22 Aug 2009 01:33:28 +0000 http://www.danielhall.me/?p=160#comment-45 Brian makes a very good point. Smart cards increase the abstraction by a whole other level, but more than that the smart card is essentially an impermeable computer. You cant extract the private key without some very complicated and expensive methods involving electron microscopes and such. Brian makes a very good point. Smart cards increase the abstraction by a whole other level, but more than that the smart card is essentially an impermeable computer. You cant extract the private key without some very complicated and expensive methods involving electron microscopes and such.

]]> By: Brian Pence http://www.danielhall.me/2009/08/ssh-agent-forwarding/comment-page-1/#comment-44 Brian Pence Fri, 21 Aug 2009 12:32:59 +0000 http://www.danielhall.me/?p=160#comment-44 An even better combination of approaches would be to use smartcard authentication in conjunction with agent forwarding. Smartcards work just like publickey authentication except that the private key never leaves the smartcard! All authentication operations are done by the CPU on the smartcard so the private key CAN'T be stolen. Posession of both the smartcard itself and its PIN are required to gain access to a system. So, now that you have a private key that can't be compromised, you don't have to worry about generating multiple keypairs for multiple systems. And because you can't copy your private key to other hosts for multi-hop connections (smartcards don't allow access to the private key), agent forwarding provides the perfect solution. All further authentication requests can be forwarded back to the originating machine and fulfilled by the smartcard itself. Brian Pence Celestial Software (ssh client with smartcard support) http://www.celestialsoftware.net An even better combination of approaches would be to use smartcard authentication in conjunction with agent forwarding. Smartcards work just like publickey authentication except that the private key never leaves the smartcard! All authentication operations are done by the CPU on the smartcard so the private key CAN’T be stolen. Posession of both the smartcard itself and its PIN are required to gain access to a system.

So, now that you have a private key that can’t be compromised, you don’t have to worry about generating multiple keypairs for multiple systems. And because you can’t copy your private key to other hosts for multi-hop connections (smartcards don’t allow access to the private key), agent forwarding provides the perfect solution. All further authentication requests can be forwarded back to the originating machine and fulfilled by the smartcard itself.

Brian Pence
Celestial Software (ssh client with smartcard support)
http://www.celestialsoftware.net

]]>