On Wed, Jul 19, 2023 at 10:07?PM Damien Miller <djm at mindrot.org>
wrote:>
> On Wed, 19 Jul 2023, Christoph Anton Mitterer wrote:
>
> > Hey.
> >
> > On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote:
> > > via a forwarded agent socket if the following
> > > conditions are met:
> >
> > I assume this also means that when:
> > ForwardAgent=no
> > respectively:
> > -a
> > is used, one is not vulnerable?
>
> You'd still be vulnerable to a local attack if they could get past the
> filesystem permissions, however this is highly unlikely.
>
> I'd recommend the workaround in the release notes though.
Disabling agent forwarding is recommended on a lot of systems.
Permitting agent forwarding is *extremely* useful for jump points,
intermediate exposed systems where you might want to use one
credential to log into the jump point, and another private key to
connect to another system, but don't want to install your private key
on the jump point myself.