Jochen Bern
2025-Feb-17 19:35 UTC
Agent Forwarding and (Crypto-Tunnel-Interrupting) Proxies / Jump Hosts
Hello, today our remote access to a platform got switched from direct SSH over to an "audit capable" proxy (read: supposedly decrypts and re-encrypts the data passing through), which makes it necessary that we always forward the agent so that the proxy -> target SSH connection can get authenticated as well. I noticed two side effects and would like to ask whether there are possibilities to address them: 1. Adding "ForwardAgent yes" to the relevant ~/.ssh/config entries works for "ssh", but I still have to use an explicit "-A" with "scp" and "sftp". I presume that that's intentional? If so, would it be possible to add support for something like "ForwardAgent always"? (I'm using the Fedora-40-supplied "OpenSSH_9.6p1, OpenSSL 3.2.2 4 Jun 2024".) 2. Since the proxy is not under our control, the agent now *always* gets forwarded all the way to the target host, which most often is *not* desirable. (Alas, we *sometimes* need that functionality, though.) Sure, I can try to "unset SSH_AUTH_SOCK", delete the actual socket, try to weaponize "ChannelTimeout agent-connection=5s", and *I* am using "-c" with "ssh-add" anyway, but. Is there a way to properly disconnect/expire the local agent from a(n) *ongoing* / freshly-successfully-established SSH connection? Preferably in an automated way (rather than, say, typing a tilde escape) ... ? Thanks in advance, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4336 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250217/1a8df620/attachment-0001.p7s>
Reasonably Related Threads
- ChannelTimeout setting
- [Bug 3653] New: ConnectTimeout causes issue when connecting to an host via tsocks
- [Bug 3827] New: UnusedConnectionTimeout hit early after ChannelTimeout
- [Bug 2438] New: Warn about using ForwardAgent with all hosts
- Unintended key info disclosure via ForwardAgent?