ssh-agent use in different security domains

[Ángel González]

Saku Ytti wrote:
>> But this connection is good:
>>
>>  ssh -oProxyCommand='ssh -W %h:%p monkey.example' banana.example
> Lets assume banana lives in domain2.
>
> Help me understand. How does this help? If you login to banana with
> ssh-agent, cant banana hijack my session and use /any/ key I have in
> ssh-agent to ssh in domain1 servers?

Only your ssh program instance can talk with your ssh-agent, because it
is running locally. Without agent forwarding, programs on the other host
can't connect to your agent, much less use your keys.
Thus, that leaves only one point in which the server could use your agent:
in the initial connection when you use the agent to authenticate.
But the authentication is a signature to connection-specific data, so it
can't
be used to authenticate with a different host. It *could* MITM a connection
to a server on domain1 but:
a) The MITM would only be encrypted data.
b) You should notice the RSA mismatch.

What domain2 could do is to login you with a key designed just for domain1.
I guess it would be possible with a crafted sshd to detect if your user
foo is
the same as user bar on a different machine (for which you know the
public key).