I think the warning label on this advice was far too understated. You should only forward your local agent if you trust the admin of the remote machine with your private keys. Because when you forward your agent, root on the box you connect to can use your key as long as you’re connected.
In lots of cases, that’s no problem. The admin of the remote box might be you anyway. Or they might be the person/entity who issued your Yubikey and associated it to your identity. But if you wouldn’t hand that remote admin (or anyone who escalated their privileges to admin on the remote machine) your yubikey and PIN, don’t forward your agent.
Yubikeys should be configured to require touch on every operation, in which case the box wouldn’t be able to do operations “behind your back”. (You could still maybe be confused into allowing an unwanted operation but that’s… hopefully difficult enough.)
Last time I set it up (I was using the PIV applet on the Yubikey, so that may make a difference) that boiled down to one of two cases:
You didn’t require further touches once the agent was authorized and there were no touch requirements for the agent.
You did require those touches, and you were asked for touches without any discernible user action that triggered it, just in the case of normal operations (e.g. you’d transferred enough encrypted data that the ssh agent wanted to re-key) frequently enough that we were afraid requiring touch on every operation would train users to assume touching was the right thing to do no matter what.
Maybe they’ve improved the agent recently, or maybe without using the PIV applet things are different.
I still think this bit of advice needs a bigger warning label than the article gave it.
Only failed for me when crossing the split horizon in my dns. Which for me is 90% of the times I hibernate these days, so I eventually stopped bothering with the firewall rules.
Reusing connections also works really well when connecting to hosts behind a bastion. Just connect once to the bastion then funnel everything behind that through the existing connection.
Example config:
Host jumphost1
User mctesterson
HostName 192.168.80.10
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist 10m
Host behind-jumphost1
User mctesterson
HostName 192.168.88.20
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist 10m
ProxyCommand ssh jumphost1 -W %h:%p
I think the warning label on this advice was far too understated. You should only forward your local agent if you trust the admin of the remote machine with your private keys. Because when you forward your agent, root on the box you connect to can use your key as long as you’re connected.
In lots of cases, that’s no problem. The admin of the remote box might be you anyway. Or they might be the person/entity who issued your Yubikey and associated it to your identity. But if you wouldn’t hand that remote admin (or anyone who escalated their privileges to admin on the remote machine) your yubikey and PIN, don’t forward your agent.
Yubikeys should be configured to require touch on every operation, in which case the box wouldn’t be able to do operations “behind your back”. (You could still maybe be confused into allowing an unwanted operation but that’s… hopefully difficult enough.)
Last time I set it up (I was using the PIV applet on the Yubikey, so that may make a difference) that boiled down to one of two cases:
You didn’t require further touches once the agent was authorized and there were no touch requirements for the agent.
You did require those touches, and you were asked for touches without any discernible user action that triggered it, just in the case of normal operations (e.g. you’d transferred enough encrypted data that the ssh agent wanted to re-key) frequently enough that we were afraid requiring touch on every operation would train users to assume touching was the right thing to do no matter what.
Maybe they’ve improved the agent recently, or maybe without using the PIV applet things are different.
I still think this bit of advice needs a bigger warning label than the article gave it.
Unless you really need compatibility with legacy servers that don’t support
sk-*keys, you don’t need to use third-party agents to use a Yubikey.My number one trick for me is to use mosh instead of straight ssh to keep connections up over hibernate etc.
https://mosh.org/
Only failed for me when crossing the split horizon in my dns. Which for me is 90% of the times I hibernate these days, so I eventually stopped bothering with the firewall rules.
Reusing connections also works really well when connecting to hosts behind a bastion. Just connect once to the bastion then funnel everything behind that through the existing connection.
Example config: