Agent Forwarding Anomalies on OpenBSD 3.3/OpenSSH 3.6.1
Eric
eric-list-openssh at catastrophe.net
Sat Sep 13 02:17:30 EST 2003
On Fri, 2003-09-12 at 08:28:46 -0500, Ben Lindstrom proclaimed...
> In this case your global ssh_config and personal ssh_config would be
> more interesting.
Ok, I forgot to send that along. Basically, it's the same on all
hosts...
Host *
Cipher 3des
ForwardAgent yes
ForwardX11 yes
KeepAlive yes
NumberOfPasswordPrompts 3
UsePrivilegedPort no
Protocol 2,1
#; HostA
Host hostA
HostName 10.6.6.6
HostKeyAlias hostA
StrictHostKeyChecking yes
IdentityFile ~/.ssh/keys/hostA
#; HostB
Host hostB
HostName 10.6.6.7
HostKeyAlias hostB
StrictHostKeyChecking yes
IdentityFile ~/.ssh/keys/hostB
[etc..]
> This is called Agent forwarding.
>
> man ssh_config
> [..]
> ForwardAgent
> Specifies whether the connection to the authentication agent (if
> any) will be forwarded to the remote machine. The argument must
> be ``yes'' or ``no''. The default is ``no''.
>
> Agent forwarding should be enabled with caution. Users with the
> ability to bypass file permissions on the remote host (for the
> agent's Unix-domain socket) can access the local agent through
> the forwarded connection. An attacker cannot obtain key material
> from the agent, however they can perform operations on the keys
> that enable them to authenticate using the identities loaded into
> the agent.
>
> [..]
> > debug1: channel 0: request pty-req
> > debug1: Requesting authentication agent forwarding.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > debug1: channel 0: request auth-agent-req at openssh.com
> [..]
Yes, but do you have any idea why it would work on one host and
not the others?
More information about the openssh-unix-dev
mailing list