disabling the authentication agent?

Hank Leininger openssh-unix-dev at progressive-comp.com
Tue Feb 5 12:10:37 EST 2002


On 2002-02-03, "Robert Mooney" <rjmooney at aboveground.cx> wrote:

> If I log in to host1 from workstation w/ password auth, and
> I log in to host2 from workstation w/ DSA public key auth, and

...Using ssh-agent on workstation for this connection?

> I try to ssh from host1 to host2, host2 allows me to login w/o a
> password.

> Why?

Perhaps because you have agent-forwarding turned on when ssh'ing from
workstation to host1?  Even though you are logging in to host1 w/a
password, that ssh session has access to your agent.  Test this by doing an
'ssh-add -l' on host1 after logging in to it.  If this is it, adding
'AgentForwarding no' to $etc/ssh_config or ~/.ssh/config (either for all
hosts, or just for host1) and it should stop.

IIRC that is the default nowadays though, so perhaps this is not the
problem...

> Is there any way to disable the authentication agent in the server
> config?

You mean in host1's sshd_config file, correct?  I do not believe so.
There is arguably room for an sshd_config option for this (after all
there's options to control other kinds of forwarding), but it's not
something one usually sees unless one is using pubkey auth in the first
place, which you are not when you log into host1.

To be clear: it's the intermediate host for which such a setting matters. 
There is no way for a destination host to tell the difference between an
agent-forwarded pubkey auth and a direct pubkey auth, provided the host the
connection comes from is permitted by any from="" entry in the
authorized_keys file.  This is unfortunate.

--
Hank Leininger <hlein at progressive-comp.com> 
  



More information about the openssh-unix-dev mailing list