Detecting forwarded agent connections

[Alex Wilson]

I know this is pretty left-field, but I'm working on a custom ssh-agent 
implementation and looking at ways to detect forwarded agent 
connections, with the hope to have a "confirm" mode which can apply just 
to those (or those, plus non-whitelisted local processes).

I realise this has been discussed a bit before, but I have thought up a 
method which seems to be working in my tests so far (which isn't one 
I've seen discussed really?), and wanted to ask if anyone can see an 
obvious problem with it.

The SSH client makes multiple connections to the agent's UNIX socket 
when it's forwarding -- the first one seems to always be for the client 
itself (even with public key auth disabled), and then subsequent 
connections are made 1:1 with remote client connections that are being 
forwarded.

My agent implementation already knows how to look up the PID of the 
connected process (via SO_PEERCRED, getpeerucred, etc) and find its 
executable name and basic info (via procfs, kvm_getprocs etc) on the 
handful of OS that I care about, so this is what I'm thinking of doing:

  1. Track connections per process by pid + process start time (so if 
the PID is re-used, the start time should be different and we'll treat 
it as new)
  2. If the calling process' exec binary path ends with "ssh" and this 
connection is NOT the first connection from that process, then prompt 
for confirmation.
  3. Otherwise, allow it.

Obviously this won't work if somebody renames the "ssh" binary -- but 
the threat I'm trying to mitigate here is somebody forwarding from a 
trusted local machine to a remote machine which they conditionally trust 
(e.g. trust it in the absence of exploits), and there's not an easy way 
that I know of to rename the local ssh binary from the remote machine.

Am I crazy?

Thanks for your time reading, as always.