RO SSH Agent Forwarding Works

Well, technically it already worked once the ROAgent.List method was working.
cloudflare · Mar 12, 2018 · b1fdf6d · b1fdf6d
1 parent 998d924
commit b1fdf6d
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -343,31 +343,37 @@ conversion. For dealing with files directly, using the
 would be a good option.
 
 
-## SSH key encryption
+## SSH Signing Oracle
 
 Red October can encrypt an SSH private key with a restriction that the key can
 be used to sign messages, but that it should not be returned as the result of a
 decrypt call. The ro client can use this feature to mimic an ssh-agent server
 which authenticates a user to a remote SSH server without ever handling the
 unencrypted private key directly.
 
-Generate an ssh key without passphrase:
+Generate an ssh key **without passphrase**:
 
  $ ssh-keygen -f id_ed25519 -N ""
 
+### Consign the Key to the RO Server
+
 Encrypt with the "ssh-sign-with" usage only:
 
  $ ro -server localhost:443 -ca server.crt \
   -minUsers 2 -owners alice,bob -usages ssh-sign-with \
   -in id_ed25519 -out id_ed25519.encrypted encrypt
 
+### Start the RO SSH Agent
+
 Initiate a SSH agent with connection to the remote RO server:
 
  $ ro -server localhost:443 -ca server.crt ssh-agent
 
  2018/02/05 05:21:13 Starting Red October Secret Shell Agent
  export SSH_AUTH_SOCK=/tmp/ro_ssh_267631424/roagent.sock
 
+### Connect to SSH via RO SSH Agent
+
 On a separate terminal, run:
 
  $ export SSH_AUTH_SOCK=/tmp/ro_ssh_267631424/roagent.sock
@@ -380,3 +386,13 @@ authenticate through the red october server:
  $ ssh user@hostname
  $ git -T [email protected]
  $ ...
+
+### SSH Agent Forwarding
+
+Moreover, since ro-ssh-agent is compatible with the ssh-agent protocol,
+you can forward the ro-ssh-agent:
+
+ localhost $ ssh -A user@middle # calls local ro-ssh-agent to ask RO server for a signature
+  middle $ ssh -A user@far # calls local ssh-agent for a signature, which forwards the
+  # request packet to the ro-ssh-agent
+  far $ echo Profit!
diff --git a/testdata/ro-ssh-agent-demo.sh b/testdata/ro-ssh-agent-demo.sh
@@ -0,0 +1,36 @@
+export RO_USER=alice
+export RO_PASS=alice
+
+go build github.com/cloudflare/redoctober/
+go build github.com/cloudflare/redoctober/cmd/ro/
+
+# Start Papa RO using a systemd socket (On dedicated terminal)
+systemd-socket-activate -l 443 \
+ ./redoctober -systemdfds -vaultpath testdata/diskrecord.json \
+ -certs testdata/server.crt -keys testdata/server.pem
+
+# Add admin and users (See README.md)
+# Sign on enough delegates
+curl --cacert testdata/server.crt https://localhost:443/delegate \
+ -d '{"Name":"alice","Password":"alice","Time":"2h34m","Uses":10}'
+curl --cacert testdata/server.crt https://localhost:443/delegate \
+ -d '{"Name":"bob","Password":"bob","Time":"2h34m","Uses":10}'
+
+# Consign a private key to Papa RO
+./ro -server localhost:443 -ca testdata/server.crt \
+ -minUsers 2 -owners alice,bob -usages ssh-sign-with \
+ -in id_ed25519 -out id_ed25519.encrypted encrypt
+
+# Start RO SSH Agent (On dedicated terminal)
+./ro -server localhost:443 -ca testdata/server.crt ssh-agent
+
+# Set the SSH_AUTH_SOCK Environment Variable
+export SSH_AUTH_SOCK=/tmp/ro_ssh_[random]/roagent.sock
+
+# Add the encrypted key to the RO SSH Agent
+./ro -in testdata/ssh_key.encrypted -pubkey testdata/ssh_key.pub ssh-add
+
+# List public keys available through RO SSH Agent
+ssh-add -L
+
+# Profit!