Agent Forwarding Anomalies on OpenBSD 3.3/OpenSSH 3.6.1

Eric eric-list-openssh at
Sat Sep 13 02:17:30 EST 2003

On Fri, 2003-09-12 at 08:28:46 -0500, Ben Lindstrom proclaimed...

> In this case your global ssh_config and personal ssh_config would be
> more interesting.

Ok, I forgot to send that along. Basically, it's the same on all

  Host *
  Cipher 3des
  ForwardAgent yes
  ForwardX11 yes
  KeepAlive yes
  NumberOfPasswordPrompts 3
  UsePrivilegedPort no
  Protocol 2,1
  #; HostA
  Host hostA
  HostKeyAlias hostA
  StrictHostKeyChecking yes
  IdentityFile ~/.ssh/keys/hostA
  #; HostB
  Host hostB
  HostKeyAlias hostB
  StrictHostKeyChecking yes
  IdentityFile ~/.ssh/keys/hostB


> This is called Agent forwarding.
> man ssh_config
> [..]
>      ForwardAgent
>              Specifies whether the connection to the authentication agent (if
>              any) will be forwarded to the remote machine.  The argument must
>              be ``yes'' or ``no''. The default is ``no''.
>              Agent forwarding should be enabled with caution.  Users with the
>              ability to bypass file permissions on the remote host (for the
>              agent's Unix-domain socket) can access the local agent through
>              the forwarded connection.  An attacker cannot obtain key material
>              from the agent, however they can perform operations on the keys
>              that enable them to authenticate using the identities loaded into
>              the agent.
> [..]
> > debug1: channel 0: request pty-req
> > debug1: Requesting authentication agent forwarding.
> 	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > debug1: channel 0: request auth-agent-req at
> [..]

Yes, but do you have any idea why it would work on one host and
not the others?

More information about the openssh-unix-dev mailing list