Agent Forwarding Anomalies on OpenBSD 3.3/OpenSSH 3.6.1

Ben Lindstrom mouring at
Fri Sep 12 23:28:46 EST 2003

On Fri, 12 Sep 2003, Eric wrote:

> I have a curious situation with four OpenBSD 3.3 hosts.
> Each of these has public/private keys on each other for inter-host
> authentication using RSA2 keys.
> For instance, they're called hostA-to-hostBCD, hostB-to-hostACD,
> hostC-to-hostABD, and hostD-to-hostABC.
> The sshd_config files, on each host, look as follows...

In this case your global ssh_config and personal ssh_config would be
more interesting.

> HostA allows ssh from the world to hosts B, C and D -- which have
> SSH filtered. HostA also has ssh-agent running on it; and allows
> me to login to B,C,D w/o problems, so long as the agent is
> unlocked. This looks like...
> Now, the tricky part....if I log into HostB, from HostA (which has
> ssh-agent running, unlocked), I can log into HostC and HostD w/o a
> password. HostA's public key is on all the other machines...I
> would expect to be able to login to the other hosts directly from
> HostA, but not using HostB as a stepping stone w/o require
> authenticating with HostB's key, when logging into HostC or HostD.

This is called Agent forwarding.

man ssh_config
             Specifies whether the connection to the authentication agent (if
             any) will be forwarded to the remote machine.  The argument must
             be ``yes'' or ``no''. The default is ``no''.

             Agent forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             agent's Unix-domain socket) can access the local agent through
             the forwarded connection.  An attacker cannot obtain key material
             from the agent, however they can perform operations on the keys
             that enable them to authenticate using the identities loaded into
             the agent.

> debug1: channel 0: request pty-req
> debug1: Requesting authentication agent forwarding.
> debug1: channel 0: request auth-agent-req at

- Ben

More information about the openssh-unix-dev mailing list