Author gives directions such as "don't use X!!" without explaining why, or what. That is terrible. Please inform people, instead of making empty statements.
SSH Agent forwarding let the remote host query your local agent. The agent responds to challenges. The private key is NEVER transmitted.
So no, its absolutely NOT equivalent to storing your private key on the remote server - did you think OpenSSH were that dumb?
The risk with SSH agent forwarding, is that as long as your session is running with agent forwarding on the remote host can query challenges and use them to authenticate anywhere you're allowed to authenticated to, granted that your ssh-agent keys are currently unlocked.
So indeed, using SSH agent forwarding every where is bad practice. But it doesn't mean you can't use it. You just need to know it's limitations.
When not used, you can use ssh -oProxyCommand='ssh -W jumphost targethost 22' targethost and/or put it in the ssh config, which is actually more convenient in most common cases.
It's also tiring to see so called ssh tricks every next day, asif everyone didnt see yesterday's one. And with incorrect statements, its worse.
I always go in hard on agent forwarding because I don't think most people understand the limitations. If you look at my wording I said:
"as if they had your private keys, because functionally speaking, they do"
The remote hosts may not have the actual private key data, but they can operate as if they do. I will expand that section a little, but not at the expense of warning people off the feature.
Thanks for the reminder about -W though, I meant to add that to the jump host section with a note that it's only available since OpenSSH 5.4.
I apologise for tiring you, best of luck with your recovery :)
2 comments
[ 5.4 ms ] story [ 11.6 ms ] threadAuthor gives directions such as "don't use X!!" without explaining why, or what. That is terrible. Please inform people, instead of making empty statements.
SSH Agent forwarding let the remote host query your local agent. The agent responds to challenges. The private key is NEVER transmitted.
So no, its absolutely NOT equivalent to storing your private key on the remote server - did you think OpenSSH were that dumb?
The risk with SSH agent forwarding, is that as long as your session is running with agent forwarding on the remote host can query challenges and use them to authenticate anywhere you're allowed to authenticated to, granted that your ssh-agent keys are currently unlocked.
So indeed, using SSH agent forwarding every where is bad practice. But it doesn't mean you can't use it. You just need to know it's limitations.
When not used, you can use ssh -oProxyCommand='ssh -W jumphost targethost 22' targethost and/or put it in the ssh config, which is actually more convenient in most common cases.
It's also tiring to see so called ssh tricks every next day, asif everyone didnt see yesterday's one. And with incorrect statements, its worse.
"as if they had your private keys, because functionally speaking, they do"
The remote hosts may not have the actual private key data, but they can operate as if they do. I will expand that section a little, but not at the expense of warning people off the feature.
Thanks for the reminder about -W though, I meant to add that to the jump host section with a note that it's only available since OpenSSH 5.4.
I apologise for tiring you, best of luck with your recovery :)