justanotheruser has quit [Ping timeout: 272 seconds]
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
justan0theruser is now known as justanotheruser
lejonet has quit [Ping timeout: 272 seconds]
lejonet has joined #nixos-security
hmpffff has joined #nixos-security
gchristensen has joined #nixos-security
<gchristensen>
hello!
<gchristensen>
since ssh agent forwarding is not great, I'd like to replace this: `ssh -A hostA scp ./path hostB:/path` -- is this ... erm, well, reasonable?
<pie_>
i dunno but replace it with what?
<gchristensen>
well that is the question
<gchristensen>
is there a reasonable replacement
<pie_>
never done that before so i had to stare sideways at the command for a second to get it :D
<pie_>
gchristensen, this sounds a little hacky but i wonder if socket forwarding would be unreasonable
<pie_>
ah but the files are on hostA
* pie_
keeps an eye on tihs
<gchristensen>
right, and they can't come through my controlling system's network
<pie_>
gchristensen, so...hostA _fundamentally_ needs to be able to ssh by itself to hostB...right?
<pie_>
or is it possible to proxy credentials without revealing them? (i suppose that is the question)
<gchristensen>
right
* pie_
scratches head...not sure if that even makes sense
<gchristensen>
that is the question :)
<ekleog>
gchristensen: it can't work with proxyjump, because the tunnel to B would be only readable by $local
<pie_>
is there a construction where you say "I delegate access to this other machine"
<ekleog>
I don't think you can do what you want in-band from ssh without agent forwarding
<pie_>
does ssh actually use pubkey crypto for encryption or is that just authentication
<ekleog>
pie_: it's agent forwarding, and it's what gchristensen is trying to avoid
<pie_>
because if its only the latter i suppose it sounds technically feasible
<pie_>
ekleog, i think this says any kind of proxying is not an optio <gchristensen> right, and they can't come through my controlling system's network
<ekleog>
gchristensen: the best option I can think of to avoid agent forwarding is doing it off-band from ssh, by opening an openssl s_client / openssl s_server
<gchristensen>
interesting
<pie_>
ekleog, is my reasoning sound?
<ekleog>
pie_: it is, though what I'm saying is just that you can't do without both agent forwarding and proxying if you want to stay in-band with ssh :)
<pie_>
ekleog, hm i guess that makes sense. "nothing" stopping you from setting up another separate pipe
<pie_>
well...
* pie_
scratches head
<pie_>
nevermind, you can still ssh to B (even if with socket forwarding)
<ekleog>
reasoning is basically: I can setup links from $local to A and $local to B, but to transmit data from A to B without going through $local I need a pipe from A to B
<pie_>
gchristensen, create a new keypair for the A<->B connection?
<ekleog>
to do that, agent forwarding's answer is “allow A to use $local's key to connect to B”
<pie_>
ekleog, right, thanks for making that verbally clear
<pie_>
ah, especially the second part
<ekleog>
proxyjump handles the same problem for ssh bastions, but its technique is just to establish a link from $local to B that network-wise goes through A, but it doesn't establish a link from A to B
<pie_>
though even making a key pair isnt great if A and B arent supposed to be able to talk to eachother arbitrarily
<pie_>
ekleog, ive never seen proxyjump
<ekleog>
pie_: out of my hat, 99.9% of the uses of agent forwarding should be replaced with proxyjump -- gchristensen's case being the 0.1% of the time where proxyjump wouldn't work for it
<pie_>
so how feasible is opening an out of band thing. youd need to be able to open a port between the two hosts or am i missing something obvious?
<pie_>
s/feasible/clean/
<gchristensen>
right
<gchristensen>
so righht now the firewall doesn't allow that, but it could I suppose
<pie_>
cant just piggyback on ssh bacause....well ekleog made that a premise
<ekleog>
gchristensen: as pie_ mentioned, another way to do the scp would be to add a temporary ssh key to B's host, whose rights would be limited to just scp, and whose private key would be on A
<pie_>
we've reduced command execution/arbitrary pipe to the commonly difficult "transferring files between two computers" problem :p
<pie_>
ekleog, is it possible to limit ssh to do nothing else except forward a specific port?
<ekleog>
and/or use `restrict,command="tar czf - thedirectory" [the public key`
<pie_>
maybe that would allow ignoring restricting command execution and you can just put whatever listener on the two ends of the pipe
<ekleog>
pie_: I don't know for specific port forwarding or scp, but the command in my just-previous message allows restricting to only one command execution :)
<pie_>
ok
<ekleog>
(to place in allowed keys)
<pie_>
yeah im vaguely familiar with that
<pie_>
i never was too comfortable with ssh
<pie_>
and attempt at restricted shells and heck knows
<pie_>
gchristensen, that was not meant as general skepticism towards ssh
<pie_>
you can do cool things with ssh
<pie_>
ekleog, next question is can we package this up nicely :D
<gchristensen>
nah
<pie_>
ekleog, new thing for the 0.1% of cases where proxyjump isnt the thing? :p
<gchristensen>
a really important property of SSH is they got the UX right
<gchristensen>
it is easy to use it safely
<pie_>
ah
<gchristensen>
this is not common in most public/private key cryptography tools!
<pie_>
well i imagine you get a lot of the shoot footing out of the way pretty fast
<pie_>
alternatively its not cisco
<pie_>
ok you know what youre probably right
<pie_>
tfw openbsd isnt the one building gnupg :p
<ekleog>
gchristensen: well, apart from agent forwarding, and server configuration, they got the UX right
<gchristensen>
if you're going to build something which needs a secure transport, building it on top of SSH is a good place to start
<gchristensen>
lol sure here's two things :P
<pie_>
on that note, how many people even know about the dark corners of ssh
<ekleog>
server configuration should default to all-disallow and explicit listing of whether commands are allowed, port forwarding is allowed, etc.
<gchristensen>
that would make people not use ssh
<pie_>
or an easy lockdown flag
<ekleog>
well, it only needs to be this way in the config file, the config tools might default to setting all checks to true
<pie_>
which changes the defaults
<ekleog>
but looking at all that's required to make a port-forwarding-only ssh key is frightsome
<pie_>
i guess some people dont need to care about being super sekur
<pie_>
"what if i missed something"<ekleog> but looking at all that's required to make a port-forwarding-only ssh key is frightsome
<ekleog>
also, ISTR the network protocol is not great from a cryptography point of view, though their choice of primitives compensates for that and still makes it secure, but this is only a far-away remembrance of the encrypt-then-mac vs mac-then-encrypt vs mac-and-encrypt story
<ekleog>
pie_: exactly
<pie_>
ekleog, i wonder if we could add some default profiles to the nixos config options
<pie_>
ekleog, two things go through my head all the time, soundness and completeness
<ekleog>
having it easy to be permissive is not that big an issue IMO. having it hard to be secure is a big one
<gchristensen>
ehhh right one problem with the agent forwarding is I don't have an SSH agent :)
<pie_>
security by lack of features ;P
<pie_>
cant hack what you dont do! ;D
<pie_>
*cant do
<gchristensen>
I hate this
<pie_>
gchristensen, what is this
<pie_>
though i know what you mean
<pie_>
gchristensen, actually, why *dont* you have an agent
<pie_>
or is it just that you dont run it
<gchristensen>
I hate that it is so complicated to get this file from point A to point B inside the same datacenter
<gchristensen>
it is running on a server in a build pipeline
<pie_>
well you can just generate a keypair or forward, if you dont care that the machines will have access to eachother for abti
<pie_>
a bit
<pie_>
or set up an intermediate server
<pie_>
:V
<pie_>
(oh no)
<pie_>
i actually havent been using ssh agent much either because i havent been dealing with multiple endpoints, but im coming up on it these days...so much to learn so much to elarn
<andi->
scp -3 is handy if bandwidth from your (trusted) location isn't a problem.
<gchristensen>
my controlling host is my home/residental network
<andi->
argh then that is probably not an option.
<gchristensen>
hostA and hostB are in the same cage
<gchristensen>
the data I want to xfer is about 1G
<andi->
I miss an FXP style tool... FTP was/is able to do that...
<gchristensen>
not terrible, but also ...
<andi->
have a controlling host and the data hosts connect to each other
<gchristensen>
I wish big ol' aarch64 boxes were easier to get, then this problem wouldn't matter
<andi->
i feel like it should be a solved issues..
<gchristensen>
me too :(
<andi->
s/issues/issue/
<andi->
Generating a one-time key and netcat'ing between the hosts might be not to bad..
<andi->
I just wish there was an authenticated way to do that.
<andi->
without reinventing everything
<ekleog>
andi-: issue with netcat is the firewall
<gchristensen>
I canopen that up
<ekleog>
which itself arises from ambient authority
<andi->
It might be super hacky but writing a script that adds a one-time ssh key to the target machine and restricts it to the receive command might be an idea.. It has a bunch of potential pitfalls :/
* ekleog
currently pondering that a full-caps OS would not actually need a firewall
<andi->
reminds me of a story I heard today... $Pentestcompany was asked to have a look at some standard Cisco VPN.. Figured the consultant posted the configuration to a mailinglist INLCUDING the PSK...
<gchristensen>
then more screwing around with this nonsense after
<gchristensen>
thank you for the help everyone :)
<andi->
good luck :)
<ekleog>
andi-: now is facedesk time
<ekleog>
good luck :)
<andi->
ekleog: I am doing beers instead...
<ekleog>
works too I guess
<pie_>
which was the reasoning for the ponderance of a key limited to port forwards, and then just setting up stuff on the pipe ends <andi-> It might be super hacky but writing a script that adds a one-time ssh key to the target machine and restricts it to the receive command might be an idea.. It has a bunch of potential pitfalls :/
* pie_
catching up with scroll
<pie_>
beers and then facedesk
<ekleog>
beer-induced facedesk?
<pie_>
yes thats what i was meaning to imply xD
<andi->
been years since I woke up on the keyboard..
<pie_>
lol
<andi->
I could add a cushion to my kinesis
<pie_>
xD
<pie_>
for that cost you damn better be able to sleep on it
<andi->
one could consider that an insurance for my health and the device