ssh-agent use in different security domains

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Oct 27 06:10:54 EST 2011


On 10/26/2011 02:56 PM, Saku Ytti wrote:
> Help me understand. How does this help? If you login to banana with
> ssh-agent, cant banana hijack my session and use /any/ key I have in
> ssh-agent to ssh in domain1 servers?

no, if you do not forward your agent (that is, if you do not enable
ForwardAgent), the machine you connect to cannot access the keys in your
agent, regardless of the number of intermediate hops.

By default ForwardAgent should be set to "no" in ssh_config.  If you run
a distribution that has ForwardAgent set to "yes" by default, please
inform them that it should *always* default to "no".  This would be a
serious bug.

If you've set ForwardAgent to "yes" within ~/.ssh/config, that is in
almost all cases a mistake, given the possibility of using ProxyCommand
with a jumphost.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20111026/b62456dd/attachment.bin>


More information about the openssh-unix-dev mailing list