Hi, I can disable agent-forwarding for any given key by prefixing it with "no-agent-forwarding", but it seems there's no global sshd_config setting for this (ie no "AgentForwarding [yes|no]"). Is this on purpose? If so, what's the rationale? -Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/bd823264/attachment.bin
On 03/24/2009 12:33 PM, Jan Schaumann wrote:> Hi, > > I can disable agent-forwarding for any given key by prefixing it with > "no-agent-forwarding", but it seems there's no global sshd_config > setting for this (ie no "AgentForwarding [yes|no]"). Is this on > purpose? If so, what's the rationale?sshd_config(5) shows: AllowAgentForwarding Specifies whether ssh-agent(1) forwarding is permitted. The default is ?yes?. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/38826200/attachment.bin
Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:> sshd_config(5) shows: > > AllowAgentForwardingAh, only available since 5.1. Nevermind, then. Thanks, -Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/1e0ae5d2/attachment.bin
Seemingly Similar Threads
- Socket forwarding with non existent remote directories
- A way to log what line of authorized_keys that was used
- How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
- Patch to fix the 255 status code problem
- ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)