Karaf
  1. Karaf
  2. KARAF-1475

Support SSH agent forwarding and use the agent authentication when connecting to other instances

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.0, 3.0.0
    • Component/s: None
    • Labels:
      None

      Issue Links

        Activity

        Hide
        Guillaume Nodet added a comment -

        I've raised KARAF-1542 for the warning.

        Show
        Guillaume Nodet added a comment - I've raised KARAF-1542 for the warning.
        Hide
        Christian Schneider added a comment -

        Reopening as I think this is a big security risk

        Show
        Christian Schneider added a comment - Reopening as I think this is a big security risk
        Hide
        Christian Schneider added a comment -

        Currently we create a private key at build time and allow full access with this key by default. I think this opens a big security hole. Of course the same is true for the karaf:karaf user. What makes the private key more dangerous is that people might not see this hole as easily as the default user. So I think we should not do this.

        Instead I propose to create a key at runtime and use it to connect to the local instance. We could store the generated private key in the user dir to make sure it is at a safe place.

        Show
        Christian Schneider added a comment - Currently we create a private key at build time and allow full access with this key by default. I think this opens a big security hole. Of course the same is true for the karaf:karaf user. What makes the private key more dangerous is that people might not see this hole as easily as the default user. So I think we should not do this. Instead I propose to create a key at runtime and use it to connect to the local instance. We could store the generated private key in the user dir to make sure it is at a safe place.
        Hide
        Guillaume Nodet added a comment -

        The 0.6 sshd release only provides agent support through unix sockets, but a local proxy is needed for karaf.

        Show
        Guillaume Nodet added a comment - The 0.6 sshd release only provides agent support through unix sockets, but a local proxy is needed for karaf.
        Hide
        Guillaume Nodet added a comment -

        KARAF-32 actually only deals with supporting key based authentication but not does provide ssh agent support.

        Show
        Guillaume Nodet added a comment - KARAF-32 actually only deals with supporting key based authentication but not does provide ssh agent support.

          People

          • Assignee:
            Guillaume Nodet
            Reporter:
            Guillaume Nodet
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development