Karaf
  1. Karaf
  2. KARAF-1475

Support SSH agent forwarding and use the agent authentication when connecting to other instances

    Details

    • Type: New Feature New Feature
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.0, 3.0.0
    • Component/s: None
    • Labels:
      None

      Issue Links

        Activity

        Guillaume Nodet created issue -
        Guillaume Nodet made changes -
        Field Original Value New Value
        Link This issue relates to KARAF-32 [ KARAF-32 ]
        Hide
        Guillaume Nodet added a comment -

        KARAF-32 actually only deals with supporting key based authentication but not does provide ssh agent support.

        Show
        Guillaume Nodet added a comment - KARAF-32 actually only deals with supporting key based authentication but not does provide ssh agent support.
        Guillaume Nodet made changes -
        Link This issue depends on SSHD-165 [ SSHD-165 ]
        Hide
        Guillaume Nodet added a comment -

        The 0.6 sshd release only provides agent support through unix sockets, but a local proxy is needed for karaf.

        Show
        Guillaume Nodet added a comment - The 0.6 sshd release only provides agent support through unix sockets, but a local proxy is needed for karaf.
        Guillaume Nodet made changes -
        Link This issue depends on KARAF-1496 [ KARAF-1496 ]
        Guillaume Nodet made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Christian Schneider added a comment -

        Currently we create a private key at build time and allow full access with this key by default. I think this opens a big security hole. Of course the same is true for the karaf:karaf user. What makes the private key more dangerous is that people might not see this hole as easily as the default user. So I think we should not do this.

        Instead I propose to create a key at runtime and use it to connect to the local instance. We could store the generated private key in the user dir to make sure it is at a safe place.

        Show
        Christian Schneider added a comment - Currently we create a private key at build time and allow full access with this key by default. I think this opens a big security hole. Of course the same is true for the karaf:karaf user. What makes the private key more dangerous is that people might not see this hole as easily as the default user. So I think we should not do this. Instead I propose to create a key at runtime and use it to connect to the local instance. We could store the generated private key in the user dir to make sure it is at a safe place.
        Hide
        Christian Schneider added a comment -

        Reopening as I think this is a big security risk

        Show
        Christian Schneider added a comment - Reopening as I think this is a big security risk
        Christian Schneider made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Guillaume Nodet made changes -
        Link This issue relates to KARAF-1542 [ KARAF-1542 ]
        Hide
        Guillaume Nodet added a comment -

        I've raised KARAF-1542 for the warning.

        Show
        Guillaume Nodet added a comment - I've raised KARAF-1542 for the warning.
        Guillaume Nodet made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Gavin made changes -
        Link This issue depends on SSHD-165 [ SSHD-165 ]
        Gavin made changes -
        Link This issue depends upon SSHD-165 [ SSHD-165 ]
        Gavin made changes -
        Link This issue depends on KARAF-1496 [ KARAF-1496 ]
        Gavin made changes -
        Link This issue depends upon KARAF-1496 [ KARAF-1496 ]

          People

          • Assignee:
            Guillaume Nodet
            Reporter:
            Guillaume Nodet
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development