Support ssh-agent forwared keys for connection

[notnooblord]

Awesome work so far @Eugeny! Currently trying to implement warpgate bastion in our org. Been great!

I'm concerned with two things actually:

• to use warpgate everywhere, we would have to drop warpgate public key to each user .authorized_keys file, a bit of administrative burden (can be automated)
• warpgate key or server instance gets hacked (somehow) person holding the keys would be able to ssh everywhere bastion can (can be mitigated by ip address limiting, but wont do much if bastion is compromised).

Both can be mitigated if warpgate can support ssh-forwarded keys. So keys for accessing aren't stored on bastion. Than user can do ssh -A user:host@wg and warpgate will use forwarded key to access destination host.

Would such a thing be possible in future?

[Eugeny]

I'm considering this, although this means a lot of extra work - instead of having to deploy .authorized_keys once as usual, you now also need to manage an N^2 set of user/server keys. In any case, #11 will have to be done first since agent forwarding relies on these.

[inkvizitor68sl]

a lot of extra work

Not looks like "a lot" of work. Just make ansible/salt/puppet to deploy .ssh/authorized across all hosts (including bastion host), then deny non-bastion ssh to protected host (firewall, hosts.allow, sshd_config, whatever)

User should run 'ssh user@bastion" and "ssh user@protected_host" from bastion (most clients allows transparent "ssh-via-ssh" via .ssh/config) - and that's it, we don't need "bastion super key" anymore.

[notnooblord]

I kinda wish in new UI there would be something like this :)

With forwarded keys not only can those keys be used for auth, but actually this allows bastion host usage as jump-host, it would be really nice feature.

[notnooblord]

@Eugeny hi! Any update on supporting this feature?

I see that tcp forwarding already been implemented in russh, but I think (could be wrong here) we still need to learn how to talk to ssh agent?

// Maybe possible for me to work on supporting this but don't know where to start :(.

[Eugeny]

Not yet - I've added support for agent channels in https://github.com/warp-tech/russh/pull/48, but to couple it with existing agent protocol implementation that russh inherited from thrussh, it needs a bridge between channels and AsyncRead/AsyncWrite traits (also implemented in that PRs).

That latter work was done to implement the SFTP protocol (see https://github.com/warp-tech/russh/issues/89#issuecomment-1342885587), but it should also work for the agent protocol.

If you've got time for it, you can just give it a quick test and see if you're able to e.g. communicate through a forwarded agent channel from a russh server

[technologicalMayhem]

Has there been any update on this? I am currently working on a setup where the ability for people to identify themselves using their personal keys instead of the warpgate one would be really useful. I've looked through the (seemingly very out of date) roadmap and could also not find anything similar in the other issues.

This project so far seems really nice and quite promising so I would be sad to have to give this up for a different solution.

[notnooblord]

Unfortunately didn’t have time to took on issue myself yet :(, but still very much needed.

In my case we have our self-built auth system for distribution of user ssh keys to hosts, we need to forward them instead of using warpgate sort of “master-key”.

Currently working around that using sshd_config shenanigans that allows warpgate key for every user, but is for sure less secure than forwarding.

@Eugeny just a question on current status, Is agent forwarding now completely supported in russh project?

[Eugeny]

@notnooblord russh includes complete support for agent forwarding channels (call Session::agent_forward and russh will call Handler::server_channel_open_agent_forward for new channels), but connecting these channels to a specific agent is up to the user. For OpenSSH agent, it's pretty much just straightforward piping into the SSH_AUTH_SOCK socket

[Eugeny]

AsyncRead/AsyncWrite bridging is already implemented in Channel::into_stream() too

[z-image]

First, thank you for your work on this project!

I've been trying to use russh to implement a very simple SSH client with support for agent forwarding, but I'm struggling to access the agent forwarding channel. I'm also new to Rust, so that might be contributing to my difficulty.

When client::Handler::server_channel_open_agent_forward() is called, it receives ChannelId(3) and russh::client::Session. Later, if I execute ssh-add -l on the server, I can see the incoming data packet in client::Handler::data() and even pipe it to the local SSH_AUTH_SOCK to get a response from the local agent. However, I'm unsure how to send data back to the server. Any high-level guidance would be highly appreciated.

[Eugeny]

@z-image once you have the ChannelId for the agent channel, you can use Handle::data to send responses on that channel.

This is currently the only method of working with agent channels as I haven't migrated the agent channel methods to use Channel<Msg> in russh::client yet

[Eugeny]

But in general, you're on the right track - just pipe the data back and forth between the channel and the agent socket.