Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable ssh-agent forwarding

Tags:

linux

ssh

ssh-agent forwarding can be accomplished with ssh -A ....

Most references I have found state that the local machine must configure ~/.ssh/config to enable AgentForwarding with the following code:

Host <trusted_ip>
  ForwardAgent yes

Host *
  ForwardAgent no

However, with this configuration, I am still able to see my local machines keys when tunneling into a remote machine, with ssh -A user@remote_not_trusted_ip, and running ssh-add -l.

From the configuration presented above, I would expect that the ssh-agent forwarding would fail and the keys of the local machine would not be listed by ssh-add -l.

Why is the machine @remote_not_trusted_ip able to access the ssh-agent forwarded keys even though the ~/.ssh/config file states the following?

Host *
  ForwardAgent no

How can i prevent ssh-agent from forwarding keys to machines not explicitly defined in the ~/.ssh/config?

like image 260
Ulad Kasach Avatar asked Dec 03 '22 22:12

Ulad Kasach

2 Answers

How can i prevent ssh-agent from forwarding keys to machines not explicitly defined in the ~/.ssh/config?

It is the default behavior. If you do not allow it in ~/.ssh/config it will not be forwarded. But the command-line arguments have higher priority so it overwrites what is defined in the configuration,as explained in the manual page for ssh_config:

ssh(1) obtains configuration data from the following sources in the following order:

  1. command-line options
  2. user's configuration file (~/.ssh/config)
  3. system-wide configuration file (/etc/ssh/ssh_config)

So as already said, you just need to provide correct arguments to ssh.

So back to the questions:

Why is the machine @remote_not_trusted_ip able to access the ssh-agent forwarded keys even though the ~/.ssh/config file states the following?

Host *
  ForwardAgent no

Because the command-line argument -A has higher priority than the configuration files.

How can I prevent ssh-agent from forwarding keys to machines not explicitly defined in the ~/.ssh/config?

Do not use -A command-line option if you do not want forward your ssh-agent. Use -a command-line option instead.

like image 191
Jakuje Avatar answered Dec 06 '22 12:12

Jakuje

You are using -A option to connect. man ssh says :

-A Enables forwarding of the authentication agent connection.

You should connect without -A, just using : 

ssh user@remote_not_trusted_ip

CLI args will have priority on ssh config file.

By the way, if you want to connect to your trusted ip without forwarding, you can also use : 

ssh -a user@trusted_ip

-a Disables forwarding of the authentication agent connection.

like image 38
Wee Avatar answered Dec 06 '22 10:12

Wee
Sign in to Comment

Related questions

replace text based on a dictionary
Why isn't write(2) returning EINTR?
Bad substitution error in bash script
Should I declare system call functions in C?
splitting single line into multiple line in numbering format using awk
Move all files not starting from a specific letter
Using sed or VIM to replace space with new line
dd fail to write to tmpfs
Bluetooth LE on Raspbian
shm_open() fails with EINVAL when creating shared memory in subdirectory of /dev/shm
Ethernet disabling in raspberry pi
LD_LIBRARY_PATH: Cannot open shared object file [duplicate]
Is there a way to define a user-defined function inside an awk statement which is inside a bash script?
ip rule: deleting all rules from table
Bash script to count CR/LF in a text file
Shell script substring till space
vi, set user settings
How can the CPU usage (output of top) be more than 100% in sum?
How to import lldb in a python script
centOS can't install nodejs via yum

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!