Ssh – How to use socket file to access server if SSH Agent forwarding is enabled

bastionsshssh-agentssh-keysssh-tunnel

I have bastion host. I connect to the bastion host using username/password. And I have private key for destination Server. Flow:

Local Machine -> Bastion -> Destination

I know that It's dangerous to use Agent forwarding because someone may read my socket file (If they have root access to bastion host) while my session is open and access the destination server – so I should use ProxyCommand!

Now I'm just testing how to access destination server without private key if I have access to the bastion server – how dangerous is Agent forwarding.

Host bast
     Hostname X.X.X.X
     ForwardAgent yes
     User bastion

Questions:

I've seen that there is information about the active agent to the following location in the bastion server: Ex: /tmp/ssh-{name}/agent.[PID]. I have root access but I can't read this file. I think only process Id is enough for this file, is not it?
if agent forwarding is enabled where can I find the socket file? I try to find at /proc/pid/fd/ location, where I saw several socket files.
how can I access to the destination server using the socket file? (How to access destination server via the ssh using socket file)

It tried to find socket files here:

 /proc/PID/fd/

And then just try this command for each socket 3,4,5,9,11:

ssh -p 2072  -o "ProxyCommand socat - UNIX-CLIENT:/proc/PID/fd/11" app@[DESTINATION_HOST_URL]

Result:

2018/08/26 01:53:31 socat[13552] E connect(5, AF=1 "/proc/13510/fd/11", 19): Connection refused
ssh_exchange_identification: Connection closed by remote host

Log:

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Executing proxy command: exec socat - UNIX-CLIENT:/proc/14003/fd/11
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: permanently_drop_suid: 0
2018/08/26 03:10:17 socat[14073] E connect(5, AF=1 "/proc/14003/fd/11", 19): Connection refused
ssh_exchange_identification: Connection closed by remote host

Best Answer

I've just changed value of SSH_AUTH_SOCK then in ssh-add -l I had a key loaded.

To sum up: It's dangerous to use agent forwarding because if you have root access to the bastion host - you can steal key whole session is open. You just need to to change SSH_AUTH_SOCK and that's it!

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Ssh – How to manage ssh keys to add a second user

You need to login using the putty on the windows machine and exit the .ssh/authorized_keys file and add the key that you generated on the mac to the file.

Do not run the command

scp -2 -P 50022 -v ~/.ssh/id_rsa.pub newuser@111.222.333.444:

That will over write the existing key on the server, and it will not work either as the server only accepts key logins.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Ssh – How to manage ssh keys to add a second user

Related Topic