search

StanfordSNR / guardian-agent

[beta] Guardian Agent: secure ssh-agent forwarding for Mosh and SSH
BSD 3-Clause "New" or "Revised" License
438 stars 30 forks source link

Multiple, chained partially trusted machines #13

Open MikeSchroll opened 6 years ago

MikeSchroll commented 6 years ago

I'm trying to understand whether guardian-agent supports the following setup:

Local, trusted machine
  -> Partially trusted jumphost
       -> Admin server
            -> End-machine

Not sure if I can 'chain' sga-guard or if there's some way.

I'm trying to run ansible from the 'admin server' against end machines. ansible supports the variable: ssh_executable="/usr/local/bin/sga-ssh"

But it appears: 1) Currently the agent trust doesn't pass along that full chain 2) I'm unable to run sga-guard from jumphost -> admin server

dimakogan commented 6 years ago

I think that the jumphost scenario can be handled together with ssh's ProxyCommand/ProxyJump (still allowing you to get the security benefits of Guardian Agent): On the local (trusted) machine, you can run:

sga-guard -o ProxyCommand="ssh  -W %h:%p <jumphost>" <admin-server>

sga-guard uses OpenSSH's ProxyCommand option to connect to <admin-server> through <jumphost> (note that the connection is encrypted end-to-end and the identity of the remote server is verified against the local .known_hosts file, so you're safe here). Then, you can run sga-ssh on the admin server against the end machines (and I think also using ansible).

For additional information about the ProxyCommand option, have a look here.

P.S. Recent versions of OpenSSH have a shortcut for the ProxyCommand option in the form of the -J flag. I'm going to make a small fix to guardian agent so you can use this flag with guardian agent (instead of the longer -o ProxyCommand...).

Hope this helps.