SSH Agent Forwarding Security
Hi,
love the 1Password SSH Agent.
One question regarding Security though.
Since there is no "easy" way to limit the forwared keys other than editing the toml everytime:
Are the forwared keys safe?
Or are they unencrypted handed over to the remote host?
I read something like it still requires to query 1password for authorization when the remote host tries to use the keys, but I think the documentation really needs more clarification regarding this part. Does this mean they are not on the Hosts until I gave permission via 1password?
Thank you!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
In general, the security of SSH keys forwarded over SSH depends on how secure there remote host is where the keys are being forwarded -- and how much you trust the administrators of that host. This is true for SSH Agent forwarding in general, whether using 1Password's built-in SSH Agent or any other SSH Agent.
If you search for security concerns regarding SSH Agent and forwarded keys, you'll find much discussion on this topic, and these also apply to 1Password's built-in SSH Agent. This guide is dated but still relevant and explains the security concerns well:
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#secI won't attempt to repeat everything here, but if you're forwarding keys via SSH Agent forwarding (including 1Password as the SSH Agent) to an untrusted remote host, then it's possible your SSH keys could be used by an unauthorized third-party (malicious root on the remote host). 1Password at least offers some protection since a forwarded key cannot be used without your explicit knowledge via the UI.
Only forward keys to hosts you trust and control.
For more details regarding 1Password SSH Agent forwarding security:
https://developer.1password.com/docs/ssh/agent/forwarding#security0
