Agent forwarding

Posted Sep 12, 2011 10:05 UTC (Mon) by tialaramex (subscriber, #21167)
In reply to: Security breach on Linux.com, LinuxFoundation.org by fuhchee
Parent article: Security breach on Linux.com, LinuxFoundation.org

More specifically, what's going on is that an additional stream is made available over the SSH connection to the intermediary machine. This stream sends nonces used for authentication one way, and signed messages containing the nonce back the other way.

Suppose you have a desktop PC 'abe' and you routinely use it to connect to a remote system 'sentry' which acts as the gateway to other machines, including a customer database 'enterprise' and the test data repository 'voldemort'. There is no direct access to voldemort -- for defence in depth -- to even attack voldemort's network services, bad guys need to get past the 'sentry' machine.

Your private key K is on abe. When you ssh to sentry, it sends a random nonce value N1 to abe, using K, abe is able to sign the nonce value N1 to prove it knows K, and send this back. You are authenticated.

If agent forwarding is enabled, when you now type ssh voldemort (to further connect from sentry to voldemort) voldemort sends another random nonce value N2 to sentry. Sentry doesn't have any private keys (per my rant above) so it fowards N2 to abe. The local agent on abe signs this using K, it goes back to sentry and then voldemort, and you are authenticated.

Now, suppose a bad guy, Mallory wishes to use your key to connect to the machine 'enterprise'. She has obtained root access on sentry (so she has already significantly penetrated your network defences). She must wait until you are connected to sentry using SSH with agent forwarding enabled. Then she connects to enterprise, and receives a nonce N3. Using her root access, she synthesises a request from sentry to abe, asking abe to sign N3, and it is accepted. Mallory is authenticated to enterprise as you.

BUT this is only possible while you remain logged into the compromised machine sentry, with agent forwarding to that machine enabled. The moment Mallory loses access to this machine, or you disconnect, or you reconnect but with agent forwarding disabled, this attack is impossible. There is no reason to revoke K in this case, it has not been compromised.

Also, Mallory plays a potentially risky game. Out of box default SSH clients give no indication when any of this is happening, but Mallory can't be sure you are so trusting. Your agent on abe is a black box to Mallory, it may report that it was asked to sign N3, prompting an investigation.