Anyone that can successfully use AutoSSH is not monitoring their private key usage. You should always need to approve each time your SSH key is used; whether via typing in your password, swiping your smartcard, or pressing the button on your yubikey.
This is not how it is meant.
When you use AutoSSH/SSH and need to enter a password for your key anytime you do a connection (which probably happens every 10min as a system engineer/admin/etc) it is probably useless.
I have many different SSH keys, each with different long passwords.
What u are looking for is `ssh-agent` which can take care of all the password handling.
Also unattended rsync (over ssh) backups rely on no user interaction at all.
On top of that, you can always use a separate user for the tunnel that doesn't have a login shell. Obviously still a problem if someone gets the private keys but not nearly as much so, as they'll basically be limited to tunneling/forwarding.
I've gone so far as to create a separate autossh user with separate key, with no shell access (by setting the user's shell to /bin/false). It still permits tunneling (call ssh with -N), but does not allow shell sessions. Perfect for when you want to access remote systems via a remote tunnel but do not want to give shell access on the relaying machine to the tunnel origin. It trusts that the machine originating the tunnel will not initiate a reflection attack (by making a local forward to the remote port itself on the originating machine and causing some log messages to appear until all file descriptors are in use)[1], but that's not so unreasonable.
The tool does nothing more in that sense than SSH itself. If you have an unprotected key it doesn't matter if you use it with just core SSH tools, your own scripts to restart things upon connection difficulty, or tools like AutoSSH.
Sometimes unprotected keys are unavoidable for automated admin functions - in this case you have to be careful what access is granted to logins via those keys, and be extra careful to secure the keys themselves including (if you don't generally) having a revocation procedure in place (even if that is as simple as a list of locations the key is accepted to you can remove it from them all) so you can easily deal with one being compromised.
With the ssh-agent defaults, if I have root/sudo access on a server you are logged into with ssh on, I practically have free use of your private SSH key.
I use gpg's ssh-agent emulation (See the man page for gpg-agent under --enable-ssh-support), and store my ssh private key on my yubikey. With this setup, the yubikey's light flashes when something wants to use my private key, and you can just touch the button on it to approve.
> If a root user is able to convince his ssh client to use another user's agent, root can impersonate that user on any remote system which authorizes the victim user's public key.
Yes, root can also simply `su - user` and then do all stuff you do.
But you should also not put YOUR private keys on a system that has a root user who should not have access YOUR keys.
> The problem with ssh-agent defaults is that someone with root on the server you're SSH'd into can use your SSH private key (which is on your local machine).
> ssh-agent is like temporarily uploading your private key to each remote server logged into.
That is very different (and much more common) than an attacker having root on your local machine.
That is bad. Even worse was a default that the OpenSSH developers quietly added and folks have become addicted to. It also enables me to phish any company and get access to all their servers, bypassing 2FA with almost no logging.
Some time read up on SSH Multiplexing. The default is MaxSessions 10. You auth once, my phishing exercise can utilize your session to connect anywhere you have connected. Nothing will show up in syslog. I can take care of `lastlog` entries since folks cache sudoer privs for so long; or in some cases, don't even require a pw.
I will set up a github with a working example of how to set up a backdoor leveraging ssh multiplexing. I got the idea from a coworker (whitehat) that used a simple ruby script to completely pwn my system. The cool part is, it doesn't require exploiting anything beyond the helpful developer or sysadmin.
Does that boil down to "if root is malicious, Bad Things can happen to other users"? Well...duh. Why not keylog all terminals instead of fumbling with ssh-agent and connection multiplexing?
No. The problem with ssh-agent defaults is that someone with root on the server you're SSH'd into can use your SSH private key (which is on your local machine).
ssh-agent is like temporarily uploading your private key to each remote server logged into.
In the same way, a helicopter is like a hot-air baloon. Except it's mostly not - the comparison is very much misleading.
The GP is mixing together SSH agent with agent forwarding, and private keys with key signing by agent.
There is last week's CVE-2016-0777, which is a vulnerability that enables the exploit you are describing, but in a properly patched configuration, without agent forwarding (nb: this feature is off by default), this is not the case. Same with connection multiplexing: off by default (for good reasons). In other words, either a) please explain how that would work, or b) please stop spreading FUD.
ssh multiplexing is ON by default. The default is `MaxSessions 10`. Unless you have `MaxSessions 1` in your config, then you have it enabled in your environment. If you have 2FA and SOC1/SOC2 controls, then technically you are out of compliance.
Anyone that can successfully use AutoSSH is not monitoring their private key usage. You should always need to approve each time your SSH key is used; whether via typing in your password, swiping your smartcard, or pressing the button on your yubikey.