diff options
| author | Timo Weingärtner <timo@tiwe.de> | 2021-05-11 13:41:06 +0200 |
|---|---|---|
| committer | Timo Weingärtner <timo@tiwe.de> | 2026-03-07 22:25:16 +0100 |
| commit | 2927e78b226ede4df9d6eee9701485ed32c8d48a (patch) | |
| tree | 5cc844a7242511a85b5ad6fc4a3fa808b90988e3 | |
| parent | 74b15a1fe3be3bd549e5fdbfbaf0b64db48a7a76 (diff) | |
| download | ssh-agent-filter-2927e78b226ede4df9d6eee9701485ed32c8d48a.tar.gz | |
add some more documentation: dissected requests for confirmation, threat model
| -rw-r--r-- | README.md | 21 |
1 files changed, 19 insertions, 2 deletions
@@ -35,12 +35,17 @@ confirmation You can use the `--*-confirmed` options (e.g.`--comment-confirmed`) to add keys for which you want to be asked on each use through the filter. The confirmation is done in the same way as when you `ssh-add -c` a key to your `ssh-agent`, but the question will contain some additional information extracted from the sign request. +These types of sign requests are dissected: +* ssh connections +* authentications with `libpam-ssh-agent-auth` +* ssh certificates + how it works ------------ -ssh-agent-filter provides a socket interface identical to that of a normal ssh-agent. -We don't keep private key material, but delegate requests to the upstream ssh-agent after checking if the key is allowed. +`ssh-agent-filter` provides a socket interface identical to that of a normal `ssh-agent`. +We don't keep private key material, but delegate requests to the upstream `ssh-agent` after checking if the key is allowed. The following requests are implemented: * `SSH2_AGENTC_REQUEST_IDENTITIES`: @@ -58,3 +63,15 @@ The following requests are implemented: * success is returned without doing anything Requests to add or remove keys and to (un)lock the agent are refused + + +threat model +------------ + +We assume trusted: +* the user invoking our software +* the upstream ssh-agent +* the user giving or declining confirmation + +We assume untrusted: +* any connection from clients on our listening socket |