SSH Agent Forwarding considered harmful
Since I recently saw a post on Reddit netsec which sadly omitted what to use instead of ssh-agent, I felt it was time to write yet another discussion about the perils of what is a useless workflow at best and a dangerous habit at worst. I’ll show a simpler, more secure and more powerful alternative in the form of SSH ProxyCommand.
SSH Agent Forwarding can be enabled by calling ssh -A or by setting the AgentForward flag in your config. It is meant as an easy way to connect to a host A with your SSH key and from there connect to another host B with that same key. This obviously is only needed if you cannot connect to host B directly from your workstation.
The problem is that while you’re connected to host A, a forwarding socket will be set up so that the SSH client on host A can connect to the ssh-agent on your workstation to perform authentication on its behalf. This means that anyone with sufficient permission on host A will be able to use that socket to connect to and use your local ssh-agent. It could be the root user or anyone else who managed to compromise host A. The result is that the user would be able to impersonate you to any host as long as you’re connected to host A.
You might say that host A only belongs to yourself, there is no other user on it, even less so someone with root access. But then again: Why take the chance? The probability of encountering a compromised machine increases with the number of hosts you connect to, and I know most people consider their workstation their most secure host.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23935561/acastro_STK103__04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24371483/236494_Mac_mini__2023__AKrales_0066.jpg)
