This page looks best with JavaScript enabled

Risks of SSH ForwardAgent

 ·  🎃 kr0m

SSH ForwardAgent can be very useful but it also poses certain security risks since it makes a second connection to the final server from the intermediate server, generating a Unix socket that can be used by users with root access to this shared server.

In this article, we will explain step by step how to exploit this vulnerability and how to avoid it by using ProxyJump instead of ForwardAgent.

The problem with ForwardAgent occurs if we have an SSH configuration like this or if we enable ForwardAgent by cli: ssh -A, ssh -o "ForwardAgent yes"

vi .ssh/config

Host *
    ForwardAgent yes

This user only needs to connect to the shared server:

ssh SHARED_SERVER

Now a second user who connects to the shared server can see the ForwardAgent socket of the first user:

ssh SHARED_SERVER

We look for the socket file:

find /tmp -path ‘ssh’ -type s

/tmp/ssh-YOoGk79Zy5/agent.3681

NOTE: The socket file will be created with the owner being the user who made the SSH connection.

We connect to a third server that user2 does not have direct access to, but using the ForwardAgent socket, they can gain access:

SSH_AUTH_SOCK=/tmp/ssh-YOoGk79Zy5/agent.3681 ssh EXTERNAL_SERVER

user2 has gained access to EXTERNAL_SERVER using user1’s agent, in reality, they will have access to all servers, Git repositories, and other services that depend on user1’s ssh key.

A simple way to check if ForwardAgent sockets exist is to create a small script that we will run to connect to the servers. This way, we will run the find command first and finally connect normally:

vi sshForwardAgent

#!/usr/bin/env bash
if [ $# -ne 1 ]; then
    echo "++ ERROR: Incorrect number of arguments"
    exit
fi

echo "---------------------------"
ssh $1 "find /tmp -path '*ssh*' -type s"
echo "---------------------------"
ssh $1

We assign the necessary permissions:

chmod 700 sshForwardAgent

NOTE: We will have to make sure that the script is in our path so that we can run it comfortably and quickly without having to indicate the full path.

Now we just have to connect to the servers using:

sshForwardAgent SERVER_IP

If we are using ForwardAgent because we have to access a server using an intermediate one because the final server is in a restricted network through firewalls, NATs, etc., we can use ProxyJump. With ProxyJump, our keys will also be used to access the final server, but the socket file will not be generated.

This method has some limitations since it does not allow us to perform operations such as a git clone. For these cases, we still need the classic ForwardAgent.

The ssh configuration would be as follows:

vi .ssh/config

Host SHARED_SERVER
        Hostname SHARED_SERVER_IP
Host EXTERNAL_SERVER
        ProxyJump SHARED_SERVER

Or by cli:

ssh -J SHARED_SERVER EXTERNAL_SERVER

If you liked the article, you can treat me to a RedBull here