Hello,
I have a license for Absolutetelnet and use it daily. I've setup a bastion server in AWS and I'm trying to get key forwarding to work.
I got it working on Putty, no problem:
1. Convert .pem to .ppk with Puttygen.
2. Add private key ppk of bastion and any server I might connect to after, TO pagent.
3. Enable "Allow agent forwarding" in Putty config.
4. SSH to bastion
5. SSH from bastion to host in private subnet.
6. Success.
I'm at a loss with as to how to complete this in Absolutetelnet. Authentication tab -> Use RSA/DSA key to login -> can only specify one .pem key!
Forwarding tab -> Authentication Agent Forwarding is enabled.
I even tried combining all necessary private keys into a single .pem. No such luck.
Has anyone got this working?
Thanks!
John
You're correct. Absolute only supports a single key when logging in. To make agent forwarding work, you have to put its public key into the authorized_keys on all the servers you may need to connect to.
Possible alternatives for future enhancement:
1. Support multiple keys in the AbsoluteTelnet/ssh implementation of agent forwarding
2. Support pagent directly
Does that help?
Brian
Hi Brian,
Thanks for the reply! Will putting Absolute's public key on the servers I need to connect to be any less secure than the Putty/Pagent setup?
John
It's no less secure. The only thing you distribute to each hosts is your public key, whether you have 1, 2, 3, or more key pairs. If one of those hosts becomes compromised, it doesn't compromise the others because there's nothing they can do with the public key.
The security comes in keeping your private key private. File-based private keys can be stolen, so keep them encrypted! Owning the private key validates your identity, or at least that you're in possession of the private key. I would think that becomes less secure if you have more of them to manage or keep them in multiple places. There may be administrative reasons why you might want more than one key, but I can't think of any good ones.
Also consider using hardware based keys. For just a few dollars, you can get a USB smartcard token that does the required crypto ON THE TOKEN. It's just like file based key authentication except the private key never levels the token, so can't be stolen or compromised. Unless of course they PHYSICALLY steal it from you and coerce you to give up them PIN. AbsoluteTelnet/SSH supports hardware based authentication tokens natively. I can give you more information if you're interested.
Here's a good article I found on the subject:
https://security.stackexchange.com/questions/40050/best-practice-separate-ssh-key-per-host-and-user-vs-one-ssh-key-for-all-hos
Brian
Hi Brian,
Do you mean "the private key never leaves the token"?
Thanks for the info on this! I might pick up a smartcard.
John
Sorry, yes of course. Private key.
I've corrected the post above. With the token, the signing operation actually occurs within the token, so the private key is never exposed. Other than that, it works exactly like file-based key authentication. Other things, such as agent forwarding work as well, with all of the operations needed for the authentication taking place in the key. Here's a little howto I put together. This is specific to the PIVKEY token, but will work with other tokens and even smartcards. I would appreciate any feedback you might be able to offer and the approach or even the details or completeness of the tutorial. https://www.celestialsoftware.net/absolutetelnet-smartcard-and-token-authentication/
Thanks! Brian