Page MenuHome GnuPG
Create Task
Maniphest T2040

gpg-agent sshcontrol confirmation not requested on forwarded agent
Closed, ResolvedPublic
Actions

Description

I set up sshcontrol file like so:

4788C56270A2DA4406CDD8B008C3DAA5F4268F03 36000 confirm

This works and confirmation is requested whenever I use the key (on OpenPGP card) to
authenticate to a server.
However, confirmation is _not_ requested on agent forwarded requests - e.g. if I login
to server_1 and then from server_1 to server_2, no confirmation is requested for the
second login but the key is still used.
I think this is a pretty serious bug as it allows forwarded keys to be stolen by anyone
with access to the machines I login to (with agent forwarding).

I use gpgtools on OSX, though, so there is a slight chance this is not a gnupg bug but
a gpgtools bug.

Details

Version
2.0.28

Related Objects

Event Timeline

zviratko set Version to 2.0.28.Jul 14 2015, 10:31 AM
zviratko added projects: gnupg, Bug Report.
zviratko added a subscriber: zviratko.
zviratko added a comment.Jul 14 2015, 10:37 AM

Sorry, disregard this and close, it was a configuration error on my side (there was
another key in the mix).
This works as expected.

zviratko closed this task as Resolved.Jul 14 2015, 10:37 AM
zviratko claimed this task.
zviratko added a comment.Jul 14 2015, 11:42 AM

Sorry, disregard this and close, it was a configuration error on my side…

On 14 Jul 2015, at 10:31, Jan Schermer via BTS <gnupg@bugs.g10code.com> wrote:

New submission from Jan Schermer <jan@schermer.cz>:

I set up sshcontrol file like so:

4788C56270A2DA4406CDD8B008C3DAA5F4268F03 36000 confirm

This works and confirmation is requested whenever I use the key (on OpenPGP card) to
authenticate to a server.
However, confirmation is _not_ requested on agent forwarded requests - e.g. if I login
to server_1 and then from server_1 to server_2, no confirmation is requested for the
second login but the key is still used.
I think this is a pretty serious bug as it allows forwarded keys to be stolen by anyone
with access to the machines I login to (with agent forwarding).

I use gpgtools on OSX, though, so there is a slight chance this is not a gnupg bug but
a gpgtools bug.

category: gnupg
messages: 6640
nosy: zviratko
priority: bug
status: unread
title: gpg-agent sshcontrol confirmation not requested on forwarded agent
version: 2.0.28

GnuPG's BTS <gnupg@bugs.g10code.com>
<T2040>

zviratko reopened this task as Open.Jul 14 2015, 11:42 AM
neal added a subscriber: neal.Jul 14 2015, 12:02 PM

Closing as requested. Thanks for taking time to bring a potential issue to our
attention!

neal closed this task as Resolved.Jul 14 2015, 12:02 PM
aheinecke mentioned this in rKLEOPATRA20ba50d44c28: Add initial version of a notepad.Jan 17 2018, 3:42 PM