search for: forwardag

...likely better. Note also, the author may be without clue. Setup: [g] - refers to an administrative group of hosts [n] - refers to a host within that group ws[g][n] - management workstations [trusted] User ssh-add's keys for all local and remote host groups. ~/.ssh/config: Host locala* ForwardAgent yes IdentityFile ~/.ssh/id_dsa_locala Host remotea* IdentityFile ~/.ssh/id_dsa_remotea Host remoteb* IdentityFile ~/.ssh/id_dsa_remoteb ... Host * ForwardAgent no IdentitiesOnly yes local[g][n] - local hosts [generally trusted] ssh[d]_config are the installed default, ~...

https://bugzilla.mindrot.org/show_bug.cgi?id=3555 Bug ID: 3555 Summary: ForwardAgent doesn't work under Match canonical Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindr...

Hi, I usually have around 10 identities loaded in my local ssh-agent and when I use the "ForwardAgent" option all them are forwarded to the remote server, which is not ideal. I usually only need to forward one (or two) of the identities and I would like to be able to choose which one(s) to forward. Looking for solutions it seems that the only option is to create a new ssh-agent, add the re...

https://bugzilla.mindrot.org/show_bug.cgi?id=2438 Bug ID: 2438 Summary: Warn about using ForwardAgent with all hosts Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Repo...

Because ForwardX11 and ForwardAgent are so useful but introduce risk when used to a not well-secured server, I added a "warn" value to the ForwardX11 and ForwardAgent options which causes the ssh client to print a big warning whenever the forwarding is actually used. I plan to make "ForwardX11=warn" the defaul...

https://bugzilla.mindrot.org/show_bug.cgi?id=1499 Summary: Add "ForwardAgent ask" to ssh_config Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: unass...

https://bugzilla.mindrot.org/show_bug.cgi?id=1499 Simon Arlott <bugzilla.mindrot-org.simon at arlott.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.mindrot-org.simon@ | |arlott.org ---

It appears there is an opportunity for a denial-of-service attack against ssh-agent when using ForwardAgent. This note describes the circumstances, and provides a patch. Background (not the vulnerability): If ssh-agent is forwarded to a compromised account, a remote attacker could use the connection to authenticate as the owner of the agent. "ssh-add -c" currently defends agains...

Hi, I have a VM with a git repository whose origin is on github. I have several keys known to github, so I needed to set git's core.sshcommand config parameter in the repository to something like this: ssh -i ~/.ssh/id_ed25519_github2 But it meant that I needed to copy that key to the VM. The same key is available via my forwarded ssh-agent connection. Is it possible to tell ssh to use

...g works, and I am not prompted for credentials: ssh vagrant at 127.0.0.1 -p 2222 \ -o Compression=yes \ -o StrictHostKeyChecking=no \ -o LogLevel=FATAL \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ -o IdentitiesOnly=yes \ -i /Users/bryanhunt/.vagrant.d/insecure_private_key \ -o ForwardAgent=yes \ "/bin/sh -c 'git clone git at bitbucket.org:bryan_picsolve/poc_docker.git /home/vagrant/poc_dockera' " Cloning into '/home/vagrant/poc_dockera'... In the second instance I express the arguments differently ( -o HostName=127.0.0.1 -o User=vagrant ), and Agent For...

...|kl_other+mindrot at icloud.com --- Comment #3 from kl_other+mindrot at icloud.com --- Patch needs to be updated, as it will conflict on both sftp.c (options changed since patch) and scp.c (the declaration of "n" added since patch). Patch changes behaviour in two ways: * Sets ForwardAgent=no by default, ForwardAgent=yes if -A is set. * Sets ForwardAgent=no after processing other args, which allows -oForwardAgent=yes to take effect, as ssh ignores duplicate command-line options. Once updated, I'd very much like this patch to go through. -- You are receiving this mail becaus...

Hi I have written a small introduction to newbies in Danish on ssh and friends. Now some people are questioning my advice and I think they have a point. I am advocating people to use DSA-keys and a config file with this: Protocol 2 ForwardAgent yes ForwardX11 yes Compression yes CompressionLevel 9 and running ssh-agent and ssh-add, and then loggin in without giving keys. One commenter said that this has big holes. An intruder with root privileges could set SSH_AUTH_SOCKET to at socket for ssh-agent found in /tmp, and he coul...

http://bugzilla.mindrot.org/show_bug.cgi?id=990 Summary: OpenSSH cannot connect to an IBM RSA (Remote Supervisor Adaptor) II Product: Portable OpenSSH Version: 3.9p1 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: openssh-bugs at

...nfig 2001/11/11 17:06:47 @@ -98,7 +98,7 @@ then echo echo "There are still ssh processes running. Please shut them down first." echo - exit 1 + #exit 1 fi # Check for ${SYSCONFDIR} directory @@ -234,9 +234,9 @@ then # Site-wide defaults for various options # Host * -# ForwardAgent yes -# ForwardX11 yes -# RhostsAuthentication yes +# ForwardAgent no +# ForwardX11 no +# RhostsAuthentication no # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes @@ -244,22 +244,14 @@ then # UseRsh no # BatchMode no # CheckHostIP yes...

...#39;forwarded key' is used on this machine, the user is prompted on the workstation. An intruder cannot use the authentication information without the user knowing (at least that is how I understood the idea of agent confirmation). Using ssh-add -c on the workstation together with setting 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. Unfortunately, this means the user is asked for confirmation, each time the keys is used. Even if it is just to connect to a safe machine or without agent forwarding. Question: Is it possible to just get asked for confirmation, when t...

On Thu, Oct 15, 2015 at 07:02:58PM -0400, Nico Kadel-Garcia wrote: > On Thu, Oct 15, 2015 at 10:34 AM, hubert depesz lubaczewski > <depesz at depesz.com> wrote: > > Hi, > > > > I'm in a situation where I'm using multiple SSH keys, each to connect to > > different set of servers. > > > > I can't load/unload keys on demand, as I usually am

Hi After logging in to a remote server with ForwardAgent enabled, sshd on the remote server creates a socket at /tmp/ and permission is 0755/srwxr-xr-x. What is the reason to allow everyone to read this socket? Also, is it better to save this socket in /home/user/.ssh/? Best Regards ----------------------- Tran Dung

Hey. On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote: > via a forwarded agent socket if the following > conditions are met: I assume this also means that when: ForwardAgent=no respectively: -a is used, one is not vulnerable? Thanks, Chris.

On Wed, 19 Jul 2023, Christoph Anton Mitterer wrote: > Hey. > > On Wed, 2023-07-19 at 08:40 -0600, Damien Miller wrote: > > via a forwarded agent socket if the following > > conditions are met: > > I assume this also means that when: > ForwardAgent=no > respectively: > -a > is used, one is not vulnerable? You'd still be vulnerable to a local attack if they could get past the filesystem permissions, however this is highly unlikely. I'd recommend the workaround in the release notes though.

Mon Dec 25 20:19:05 GMT 2000 Greetings. I noticed that in OpenSSH_2.2.0, DSA keys were allowed to be added to ssh-agent, however the ability for allowing ForwardAgent does not yet seem in place for protocol-2. I've noticed that when using protocol-2, no socket is created in /tmp/ssh-*/, and consequently SSH_AUTH_SOCK is not being set. Hence the ability to ssh to another machine (using protocol-1 or protocol-2) without being asked for a password is lost...