ssh agent forwarding

Drake Diedrich dld at
Fri Sep 20 10:36:58 EST 2002

On Fri, Sep 20, 2002 at 12:09:49AM +1000, Alex Satrapa wrote:
>   ForwardAgent yes
> I'm sure other people will followup to this message to slap me on the 
> wrists for giving such dangerous advice ;)

   Oh, if you insist.  :)  To do this safely, slogin to the relay host (and
back out), to make a known_hosts entry.  The paranoid would then check the
.ssh/knownhosts[2] entry against the printed copy of the remote hosts 
pubkey (easiest to obtain by slogin localhost and look in the knownhosts
file on the remote).  Only then should you make a host-specific entry in
your .ssh/config file turning on Forwarding.  If you ever get the warning
that the host key has changed, turn forwading off until you've sorted out
whether it's legit.  The intermediate host has access to the private keys of
each ssh key you've put in the ssh-agent.

   Debian has for many years now (following a patch that Branden liked)
started ssh-agent as part of the default Xsession.  To add your local keys
automatically on login, add this to your .xsession:

if ssh-add -l | grep "The agent has no identities"; then
        ssh-add .ssh/identity .ssh/id_rsa </dev/null

  The wrapper is so you can do monitor hijacking via x2x and keep your
connection to the original ssh-agent, rather than starting a second one on a
normally X-less system.  And with that bait:


ssh -f duh 'unset XAUTHORITY ; startx < /dev/tty8'


ssh -f duh 'x2x -from $DISPLAY -to :0 -east'
exit 0

More information about the linux mailing list