Agent Forwarding Anomalies on OpenBSD 3.3/OpenSSH 3.6.1
mouring at etoh.eviladmin.org
Fri Sep 12 23:28:46 EST 2003
On Fri, 12 Sep 2003, Eric wrote:
> I have a curious situation with four OpenBSD 3.3 hosts.
> Each of these has public/private keys on each other for inter-host
> authentication using RSA2 keys.
> For instance, they're called hostA-to-hostBCD, hostB-to-hostACD,
> hostC-to-hostABD, and hostD-to-hostABC.
> The sshd_config files, on each host, look as follows...
In this case your global ssh_config and personal ssh_config would be
> HostA allows ssh from the world to hosts B, C and D -- which have
> SSH filtered. HostA also has ssh-agent running on it; and allows
> me to login to B,C,D w/o problems, so long as the agent is
> unlocked. This looks like...
> Now, the tricky part....if I log into HostB, from HostA (which has
> ssh-agent running, unlocked), I can log into HostC and HostD w/o a
> password. HostA's public key is on all the other machines...I
> would expect to be able to login to the other hosts directly from
> HostA, but not using HostB as a stepping stone w/o require
> authenticating with HostB's key, when logging into HostC or HostD.
This is called Agent forwarding.
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
be ``yes'' or ``no''. The default is ``no''.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
> debug1: channel 0: request pty-req
> debug1: Requesting authentication agent forwarding.
> debug1: channel 0: request auth-agent-req at openssh.com
More information about the openssh-unix-dev