ssh agent forwarding
grail at goldweb.com.au
Fri Sep 20 00:09:49 EST 2002
On Thursday, September 19, 2002, at 10:29 , Brett Worth wrote:
> Was it a security hole?
When used incorrectly, yes it was a security hole. Remember that
SSH-agent forwarding relies on trusting the intermediate host.
> Has it just never been implemented in openssh?
It's been implemented for a while. In the default installation, you'll
need to specify that you want agent forwarding turned on:
ssh -A user at remotehost
Otherwise, make this dangerous modification to the ~/.ssh/config or
/etc/ssh_config files: Change the "ForwardAgent" option from "no" (the
default, and safest choice) to "yes".
NB: THIS IS NOT A GOOD IDEA
Remember, since the agent forwarding is done using sockets or pipes on
the intermediate host, it's trivially easy for 'root' on that machine to
use your ssh-agent to authenticate themselves as you to anywhere that
To be safer, specify the hosts to which you wish to allow agent
I'm sure other people will followup to this message to slap me on the
wrists for giving such dangerous advice ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 225 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20020920/0efbec14/attachment.bin
More information about the linux