ssh agent forwarding
Alex Satrapa
grail at goldweb.com.au
Fri Sep 20 00:09:49 EST 2002
On Thursday, September 19, 2002, at 10:29 , Brett Worth wrote:
> Was it a security hole?
When used incorrectly, yes it was a security hole. Remember that
SSH-agent forwarding relies on trusting the intermediate host.
> Has it just never been implemented in openssh?
It's been implemented for a while. In the default installation, you'll
need to specify that you want agent forwarding turned on:
ssh -A user at remotehost
Otherwise, make this dangerous modification to the ~/.ssh/config or
/etc/ssh_config files: Change the "ForwardAgent" option from "no" (the
default, and safest choice) to "yes".
ForwardAgent yes
NB: THIS IS NOT A GOOD IDEA
Remember, since the agent forwarding is done using sockets or pipes on
the intermediate host, it's trivially easy for 'root' on that machine to
use your ssh-agent to authenticate themselves as you to anywhere that
trusts you.
To be safer, specify the hosts to which you wish to allow agent
forwarding:
Host *.trusteddomain
ForwardAgent yes
I'm sure other people will followup to this message to slap me on the
wrists for giving such dangerous advice ;)
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 225 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20020920/0efbec14/attachment.bin
More information about the linux
mailing list