ssh agent forwarding

Alex Satrapa grail at
Fri Sep 20 00:09:49 EST 2002

On Thursday, September 19, 2002, at 10:29 , Brett Worth wrote:

> Was it a security hole?

When used incorrectly, yes it was a security hole.  Remember that 
SSH-agent forwarding relies on trusting the intermediate host.

> Has it just never been implemented in openssh?

It's been implemented for a while.  In the default installation, you'll 
need to specify that you want agent forwarding turned on:

   ssh -A user at remotehost

Otherwise, make this dangerous modification to the ~/.ssh/config or 
/etc/ssh_config files: Change the "ForwardAgent" option from "no" (the 
default, and safest choice) to "yes".

   ForwardAgent yes


Remember, since the agent forwarding is done using sockets or pipes on 
the intermediate host, it's trivially easy for 'root' on that machine to 
use your ssh-agent to authenticate themselves as you to anywhere that 
trusts you.

To be safer, specify the hosts to which you wish to allow agent 

Host *.trusteddomain
   ForwardAgent yes

I'm sure other people will followup to this message to slap me on the 
wrists for giving such dangerous advice ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 225 bytes
Desc: not available
Url :

More information about the linux mailing list