When using ForwardAgent with SSH, the local ssh-agent can be used to authenticate connections from a remote system jumphost to a third.

Problems with this are

  1. that the forwarded connection to the local agent might be abused by root on the remote machine to login as the legitimate user on still other systems.
  2. that the agent can hold more keys than the third system will accept, and tries them in a fixed order.

Problem 1 can be mitigated by adding the relevant keys with ssh-add's -c Option, so that each use of the keys activates a dialog asking for permission.

Trying to log into a third machine from jumphost and getting the error

Too many authentication failures 
is the result of Problem 2. It happens when there are more than six keys added to the agent, and the relevant key for the third system is not in one of the first six.

If the agent was used from the local machine, it would be sufficient to add a specific IdentityFile and the IdentitiesOnly yes Option. But on the remote system there are no secret keys, because that was the whole point of the Agent Forwarding. ssh-add -l lists all the keys in the agent, but there seems to be no way to specify which of those to use in ssh third_system.

A workaround that i discovered recently is running a second ssh-agent on its own SSH_AUTH_SOCK, adding the relevant keys for the remote system to just that agent, and forwarding only that agent's socket. It works like this:

% mkdir /tmp/.another_ssh_sock 
% chmod 700 /tmp/.another_ssh_sock 
% ssh-agent -a /tmp/.another_ssh_sock/sock
% env SSH_AUTH_SOCK=/tmp/.another_ssh_sock/sock ssh-add -c .ssh/the_key
% cat << EOF >> .ssh/config
Host jumphost
   ForwardAgent /tmp/.another_ssh_sock/sock

The -a Option of ssh-agent lets it listen on the given UNIX socket. The ForwardAgent allows to explicitly specify the socket to forward to the remote machine.

If i want to connect directly to the third system from local, i can use the IdentityAgent Option on my local .ssh/config to use the non-std agent:

Host a_third_system
	IdentityAgent /tmp/.another_ssh_sock/sock

The lack of options to select forwarded keys on the jumphost is a bit disappointing, but the tooling for running alternative agents is good enough for my scenario.

Thu, 13 Jun 2024
[/projects] permanent link