ssh-agent forwarding

[ask0n]

Hi @anazmy,

sorry to reopening ticket https://github.com/aker-gateway/Aker/issues/23 but i think this idea needs deeper discussion. SSH has an ability to use a ssh CA keys and an agent-forward is a must-have for this feature. Also, ssh-add -c (manual confirmation of agent's socket use) has no security drawbacks for ssh-agent related stuff. I think Aker should have a configurable option for the SSH agent forward.

What do you think?

[anazmy]

Hey @ask0n, I investigated SSH certificates earlier, maybe for a little bit different use but it's the same after all. FreeIPA provides a similar functionality, with the needed centralized webUI, that's why I chose to integrate with it. What use case you're looking for that is not fulfilled in FreeIPA, can you shed some light here please?

[ask0n]

I use to use a FreeIPA+SSSD but it is a different level of complicity. When you have 10-20 users and a small infrastructure with bastion host it is overkill to manage two FreeIPA's nodes just for the SSH access.

Also, for an automatic provisioning of a new nodes you need to store all binding credentials somewhere. And we both know, that binding password is a sensitive information, which cold be abused. With SSH certificates you just need a public key and single configuration line in sshd_config, so provision could be done without any problems via cloud-init.

Since paramiko has all needed information about ssh-agent after connection I think it's good idea to have a such option for Aker. The only tricky part is that you need to have a transport and try to authenticate with each available key from the agent before opening ssh session.