SSH ForwardAgent can be very useful but it also poses certain security risks since it makes a second connection to the final server from the intermediate server, generating a Unix socket that can be used by users with root access to this shared server.
In this article, we will explain step by step how to exploit this vulnerability and how to avoid it by using ProxyJump instead of ForwardAgent.
The problem with ForwardAgent occurs if we have an SSH configuration like this or if we enable ForwardAgent by cli: ssh -A, ssh -o "ForwardAgent yes"
Host *
ForwardAgent yes
This user only needs to connect to the shared server:
Now a second user who connects to the shared server can see the ForwardAgent socket of the first user:
We look for the socket file:
/tmp/ssh-YOoGk79Zy5/agent.3681
NOTE: The socket file will be created with the owner being the user who made the SSH connection.
We connect to a third server that user2 does not have direct access to, but using the ForwardAgent socket, they can gain access:
user2 has gained access to EXTERNAL_SERVER using user1’s agent, in reality, they will have access to all servers, Git repositories, and other services that depend on user1’s ssh key.
A simple way to check if ForwardAgent sockets exist is to create a small script that we will run to connect to the servers. This way, we will run the find command first and finally connect normally:
#!/usr/bin/env bash
if [ $# -ne 1 ]; then
echo "++ ERROR: Incorrect number of arguments"
exit
fi
echo "---------------------------"
ssh $1 "find /tmp -path '*ssh*' -type s"
echo "---------------------------"
ssh $1
We assign the necessary permissions:
NOTE: We will have to make sure that the script is in our path so that we can run it comfortably and quickly without having to indicate the full path.
Now we just have to connect to the servers using:
If we are using ForwardAgent because we have to access a server using an intermediate one because the final server is in a restricted network through firewalls, NATs, etc., we can use ProxyJump. With ProxyJump, our keys will also be used to access the final server, but the socket file will not be generated.
This method has some limitations since it does not allow us to perform operations such as a git clone. For these cases, we still need the classic ForwardAgent.
The ssh configuration would be as follows:
Host SHARED_SERVER
Hostname SHARED_SERVER_IP
Host EXTERNAL_SERVER
ProxyJump SHARED_SERVER
Or by cli: