2

How can I, as a user logged in to a remote server via ssh, check if ssh-agent forwarding is permitted on that server?

Restrictions:

  1. The tool 'sshd_config' either doesn't exist on this system, or I don't have permission to run it
  2. I do not have permission to view files such as /etc/ssh/ssh_config (so cannot directly look for AllowAgentForwarding settings)

Attempting to use agent forwarding to log in to a third system from the server seems to fail, so I suspect that agent forwarding is disabled, but I don't want to submit a request for this to be changed without first explicitly verifying that this is indeed the problem.

Ben Farmer
  • 121
  • 3
  • (I think you mean *ssh**d**_config* on the server.) As there is no practical reason to use agent forwarding these days, why do you care? (You are probably expected to use Proxy (`-J`) instead of Forwarding) – anx Oct 21 '20 at 22:20
  • Isn't there? What is the alternative? I want to access GitLab with rsa authentication from a variety of different servers, and I don't want to store and keep track of zillions of different public keys from all those servers. I just want to give GitLab my one single public key from my PC. What other way is there to do this than ssh-agent forwarding? – Ben Farmer Oct 21 '20 at 22:23
  • So I have been trying to research it, and I guess you are referring to this "ProxyCommand" ability that ssh has? Maybe I don't understand it properly, but I don't see how that can replace agent forwarding in this case. Doesn't it just let me tunnel to the final remote system via the server? That's not really what I want, I think. I just want to clone git repos from GitLab onto the server. So the server needs my ssh-agent to communicate to GitLab, doesn't it? Unless I set up separate key pairs on every server, which I am not certain is any more secure than just using the agent? – Ben Farmer Oct 21 '20 at 22:40
  • Agent forwarding is only practical in so far that someone hijacking just one of the servers you share your keys with gives the hacker access to practically everything opened with your keys. Instead of looking for an exact replacement, migrate to secure practices where your (write- and shell-access, presumably) keys never leave your premises. – anx Oct 21 '20 at 22:48
  • Ok... can you be more specific? How can I clone git repos from GitLab on to a server where I need to do some work, whilst also not a) giving that server access to my keys, or b) telling GitLab that it can authenticate using keys I create on the server? Either way the keys have to leave my machine. So I'm not sure what you are saying I should do. – Ben Farmer Oct 21 '20 at 22:58
  • Hi, did you figure out a way to check this? – a06e Oct 20 '21 at 13:59
  • @becko I don't remember exactly what I ended up doing, but it might have been something like this: https://unix.stackexchange.com/a/18940/167856 – Ben Farmer Oct 20 '21 at 23:15

0 Answers0