-
Notifications
You must be signed in to change notification settings - Fork 8
/
README
28 lines (20 loc) · 1.52 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Purpose:
----------------------------------------------------------------------------
Provide remote SSH agent forwarding. There are very obvious and known attacks against SSH agent forwarding. Quite simply, if a remote host is compromised, your key can be used to connect to arbitrary hosts. This can be quite serious if you manage multiple sites/deployments and keep all your keys in your local agent.
Using rssh-agent, you can keep a single corporate private SSH key. Your (trusted) users connect to an SSH host using their own keys, receiving access to a remote, managed ssh-agent. The users do not have direct access to the remote private keys, only the agent socket.
Requirements:
----------------------------------------------------------------------------
* Bash
* socat (http://www.dest-unreach.org/socat/)
Usage:
----------------------------------------------------------------------------
Run rssh-agentd on remote server. Listens on localhost, port 222 by default.
If configured for a port higher than 1024, may be run as non-root.
root$ rssh-agentd
Run rssh-agent on local client. Works similar to ssh-agent.
someuser$ rssh-agent ssh root@remote-machine
This script can also be used to wrap other SSH-AGENT aware applications
such as 'scp' and 'sftp'.
BUGS:
----------------------------------------------------------------------------
Use of TCP is dangerous and insecure. Switching to Unix sockets would be a significant improvement. That said, it is relatively safe for a local daemon on an otherwise secure, single-purpose host.