From 2927e78b226ede4df9d6eee9701485ed32c8d48a Mon Sep 17 00:00:00 2001 From: Timo Weingärtner Date: Tue, 11 May 2021 13:41:06 +0200 Subject: add some more documentation: dissected requests for confirmation, threat model --- README.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05ca21d..c5326c1 100644 --- a/README.md +++ b/README.md @@ -35,12 +35,17 @@ confirmation You can use the `--*-confirmed` options (e.g.`--comment-confirmed`) to add keys for which you want to be asked on each use through the filter. The confirmation is done in the same way as when you `ssh-add -c` a key to your `ssh-agent`, but the question will contain some additional information extracted from the sign request. +These types of sign requests are dissected: +* ssh connections +* authentications with `libpam-ssh-agent-auth` +* ssh certificates + how it works ------------ -ssh-agent-filter provides a socket interface identical to that of a normal ssh-agent. -We don't keep private key material, but delegate requests to the upstream ssh-agent after checking if the key is allowed. +`ssh-agent-filter` provides a socket interface identical to that of a normal `ssh-agent`. +We don't keep private key material, but delegate requests to the upstream `ssh-agent` after checking if the key is allowed. The following requests are implemented: * `SSH2_AGENTC_REQUEST_IDENTITIES`: @@ -58,3 +63,15 @@ The following requests are implemented: * success is returned without doing anything Requests to add or remove keys and to (un)lock the agent are refused + + +threat model +------------ + +We assume trusted: +* the user invoking our software +* the upstream ssh-agent +* the user giving or declining confirmation + +We assume untrusted: +* any connection from clients on our listening socket -- cgit v1.2.3