I have a MacBook with MacOSX Leopard (10.6.2) and I use it to connect to some servers (their O.S. is Debian Lenny) using SSH. I use RSA keys to login to server A, and from there I "bounce" to other servers B, C and D. I have activated agent forwarding in my laptop's .ssh/config
for server A in order to be able to connect to A and then "bounce" from A to B, C or D without having to type my password every time. It works fine.
But I read that agent forwarding has one security flaw: if a hacker gets root
access on server A, he will be able to hijack the agent forwarding mechanism and connect to servers B, C and D without any password.
Apparently, one solution is to use ssh-add
's -c
option: it is supposed to ask me for confirmation every time server A wants to use my RSA key. But for some reason, it fails:
miniquark@mylaptop:~$ ssh-add -c
Enter passphrase for /Users/miniquark/.ssh/id_rsa:
Identity added: /Users/miniquark/.ssh/id_rsa (/Users/miniquark/.ssh/id_rsa)
The user has to confirm each use of the key
miniquark@mylaptop:~$ ssh serverA
Agent admitted failure to sign using the key.
miniquark@serverA's password:
Normally, I don't need to launch ssh-add
manually, since MacOSX does it for me automatically when I launch an ssh connection that requires an RSA key. So perhaps the solution would be to configure MacOSX to launch ssh-add
with the -c
option. Unfortunately, I just cannot find that option.
If you have any other idea that would protect me from agent forwarding hijacking, I would be very grateful.
Thank you.