If you have an encrypted ssh key for each domain you access (you should), and you keep your unlocked keys in a single ssh-agent (you maybe shouldn't), AND you've ever decided you need to forward your ssh-agent, then you should feel bad.
If you forward an ssh-agent with all your unique keys for every domain to a ssh server that is compromised - all those unique keys for all those unique domains you access? Kablooie! Done. Have fun rotating them all.
sshecret
is a tool that creates an ssh-agent for each identity file found
in your ssh_config(5)
and executes ssh commands for a particular host using
an environment that has access to only the key for that one host.
If a server to which you've forwarded your ssh-agent is compromised, then only the key used for that domain will be affected.
sshecret
is a wrapper around ssh that automatically manages multiple
ssh-agent(1)
sockets each containing only a single unlocked ssh key.
sshecret
accepts the same parameters as ssh(1)
- fundamentally
sshecret
uses execve(2)
to wrap ssh, modifying the environment to
ensure that each key in your ssh_config(5)
uses its own ssh-agent.
Install via pip:
pip install --user sshecret
Install manually / via APT:
apt-get install python3-paramiko
git clone https://github.com/thcipriani/sshecret/
cp sshecret.py /usr/local/bin/sshecret
To use sshecret
with git, point GIT_SSH
to use sshecret
by adding
this to your shell initialization file (~/.bashrc
or the like):
if command -v sshecret > /dev/null 2>&1; then export GIT_SSH=sshecret fi
To use sshecret
with scp add this alias to your shell initialization file:
if command -v sshecret > /dev/null 2>&1; then alias scp='scp -S sshecret' fi
sshecret
obviously won't help you if you're using the same ssh key for
multiple domains. You are clearly beyond help.
sshecret
depends on a correct ssh_config(5)
for your user (found at
~/.ssh/config
or wherever $SSH_CONF
is pointing), so it'll get weird if
that file is weird or nonexistent. Sorry, I guess.
Requirements:
Usage:
usage: sshecret [whatever you want to pass to ssh] sshecret is a wrapper around ssh that automatically manages multiple ssh-agent(1)s each containing only a single ssh key. EXAMPLE: sshecret -A -L8080:localhost:80 -l johndoe -p2222 example.com sshecret accepts the same parameters as ssh(1) - fundamentally sshecret uses execve(2) to wrap ssh, modifying the environment to ensure that each key in your ssh_config(5) uses its own ssh- agent. optional arguments: -h, --help show this help message and exit -v Increase verbosity of output