VKontakte.DJ
forum traveling
 

Celestial Software

...better by design

Home Support SSH Client Forums
Welcome, Guest
Please Login or Register.    Lost Password?
Forwarding Keys (Authentication Agent Forwarding) (1 viewing) (1) Guest
Go to bottom Favoured: 0
TOPIC: Forwarding Keys (Authentication Agent Forwarding)
#8890
Forwarding Keys (Authentication Agent Forwarding) 3 Months ago  
Hello,

I have a license for Absolutetelnet and use it daily. I've setup a bastion server in AWS and I'm trying to get key forwarding to work.

I got it working on Putty, no problem:

1. Convert .pem to .ppk with Puttygen.
2. Add private key ppk of bastion and any server I might connect to after, TO pagent.
3. Enable "Allow agent forwarding" in Putty config.
4. SSH to bastion
5. SSH from bastion to host in private subnet.
6. Success.

I'm at a loss with as to how to complete this in Absolutetelnet. Authentication tab -> Use RSA/DSA key to login -> can only specify one .pem key!

Forwarding tab -> Authentication Agent Forwarding is enabled.

I even tried combining all necessary private keys into a single .pem. No such luck.

Has anyone got this working?

Thanks!
John
ricerc1 (User)
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#8891
Re:Forwarding Keys (Authentication Agent Forwarding) 3 Months ago  
You're correct. Absolute only supports a single key when logging in. To make agent forwarding work, you have to put its public key into the authorized_keys on all the servers you may need to connect to.


Possible alternatives for future enhancement:
1. Support multiple keys in the AbsoluteTelnet/ssh implementation of agent forwarding
2. Support pagent directly


Does that help?

Brian
bpence (Admin)
Admin
Posts: 1334
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#8892
Re:Forwarding Keys (Authentication Agent Forwarding) 3 Months ago  
Hi Brian,

Thanks for the reply! Will putting Absolute's public key on the servers I need to connect to be any less secure than the Putty/Pagent setup?

John
ricerc1 (User)
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#8893
Re:Forwarding Keys (Authentication Agent Forwarding) 3 Months ago  
It's no less secure. The only thing you distribute to each hosts is your public key, whether you have 1, 2, 3, or more key pairs. If one of those hosts becomes compromised, it doesn't compromise the others because there's nothing they can do with the public key.

The security comes in keeping your private key private. File-based private keys can be stolen, so keep them encrypted! Owning the private key validates your identity, or at least that you're in possession of the private key. I would think that becomes less secure if you have more of them to manage or keep them in multiple places. There may be administrative reasons why you might want more than one key, but I can't think of any good ones.

Also consider using hardware based keys. For just a few dollars, you can get a USB smartcard token that does the required crypto ON THE TOKEN. It's just like file based key authentication except the private key never levels the token, so can't be stolen or compromised. Unless of course they PHYSICALLY steal it from you and coerce you to give up them PIN. AbsoluteTelnet/SSH supports hardware based authentication tokens natively. I can give you more information if you're interested.

Here's a good article I found on the subject:
security.stackexchange.com/questions/400...-ssh-key-for-all-hos

Brian
bpence (Admin)
Admin
Posts: 1334
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Last Edit: 2018/07/20 16:36 By bpence.
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#8894
Re:Forwarding Keys (Authentication Agent Forwarding) 3 Months ago  
Hi Brian,

Do you mean "the private key never leaves the token"?

Thanks for the info on this! I might pick up a smartcard.

John
ricerc1 (User)
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#8895
Re:Forwarding Keys (Authentication Agent Forwarding) 3 Months ago  
Sorry, yes of course. Private key. I've corrected the post above.

With the token, the signing operation actually occurs within the token, so the private key is never exposed. Other than that, it works exactly like file-based key authentication. Other things, such as agent forwarding work as well, with all of the operations needed for the authentication taking place in the key.

Here's a little howto I put together. This is specific to the PIVKEY token, but will work with other tokens and even smartcards. I would appreciate any feedback you might be able to offer and the approach or even the details or completeness of the tutorial.

www.celestialsoftware.net/ssh-features/s...-authentication.html

Thanks!

Brian
bpence (Admin)
Admin
Posts: 1334
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
Go to top