1

Is there a way to prevent an application from using my ssh-agent keys?

I started using an application that uses ssh to access my remote server (possibly for a legitimate reason, according to the application developers, but not a good reason, according to me). I found out when the shell where I started the application from asked me for my RSA key passphrase. The first few times I didn't even know because the key was already in my ssh-agent, so the application quietly used it and ran commands on my remote server without my knowledge.

I don't want this application to use my ssh keys behind my back. I take a certain amount of risk by downloading and running an application, but beyond this risk, I take additional privacy and security precautions like using an ssh passphrase. ssh-agent seems to remove the RSA passphrase security, so that the passphrase protects me only when I'm not logged in.

user13097
  • 221
  • 2
  • 7

1 Answers1

0

ssh-add has switch -c, which makes the added keys subject to confirmation before use. From man ssh-add:

-c Indicates that added identities should be subject to confirmation before being used for authentication. Confirmation is performed by ssh-askpass(1). Successful confirmation is signaled by a zero exit status from ssh-askpass(1), rather than text entered into the requester.

It should suit your needs.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • I'll try it, but I use ssh a lot and the prompts may annoy me. I'll also try aliasing the "eager-to-ssh" program so it does ssh -D first: alias prog='ssh -D; prog'. – user13097 Apr 06 '16 at 17:51
  • 1
    I've adopted this. The prompts are easy to get by. Just press the Enter key. I've also added ssh -D to the alias for the program in question so the ssh prompts don't come up and annoy me. – user13097 Apr 10 '16 at 10:32