Agent Forwarding and (Crypto-Tunnel-Interrupting) Proxies / Jump Hosts

[Jochen Bern]

Hello, today our remote access to a platform got switched from direct 
SSH over to an "audit capable" proxy (read: supposedly decrypts and 
re-encrypts the data passing through), which makes it necessary that we 
always forward the agent so that the proxy -> target SSH connection can 
get authenticated as well. I noticed two side effects and would like to 
ask whether there are possibilities to address them:

1. Adding "ForwardAgent yes" to the relevant ~/.ssh/config entries works 
for "ssh", but I still have to use an explicit "-A" with "scp" and 
"sftp". I presume that that's intentional? If so, would it be possible 
to add support for something like "ForwardAgent always"? (I'm using the 
Fedora-40-supplied "OpenSSH_9.6p1, OpenSSL 3.2.2 4 Jun 2024".)

2. Since the proxy is not under our control, the agent now *always* gets 
forwarded all the way to the target host, which most often is *not* 
desirable. (Alas, we *sometimes* need that functionality, though.) Sure, 
I can try to "unset SSH_AUTH_SOCK", delete the actual socket, try to 
weaponize "ChannelTimeout agent-connection=5s", and *I* am using "-c" 
with "ssh-add" anyway, but. Is there a way to properly disconnect/expire 
the local agent from a(n) *ongoing* / freshly-successfully-established 
SSH connection? Preferably in an automated way (rather than, say, typing 
a tilde escape) ... ?

Thanks in advance,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250217/1a8df620/attachment-0001.p7s>