I use ProxyCommand with the intention of avoiding ssh agent forwarding. Today I noticed that Gnome was starting ssh-agent
, which I'm trying to avoid using so I disabled it. I'd like to not have the agent running so I can't accidentally start forwarding it if I'm ever careless with setup/config of the ssh client. I'm a consultant and one of the very worst nightmares is that someone co-opt my credentials to do bad things, making it look like I did bad things and costs me business or even causes me to get sued. The present case where I hit this problem is configured as show below. I've determined that it's not even the ProxyCommand that is requiring ssh-agent. Below is the anonymized bastion config from my ~/.ssh/config
(actually its included from a customer specific directory ~/clients/foo/secrets/
but this all worked previously so there should be no problem there)
Host bastion
HostName xxx.xxx.xxx.70
User ubuntu
IdentityFile ~/clients/foo/secrets/bastion.key
IdentitiesOnly yes
ForwardAgent no
When I do
ssh bastion -vvv
It stalls out at:
debug1: Found key in /home/gus/.ssh/known_hosts:67
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
This post on Ask Different identifies that as a "waiting for agent" problem. I'm on Ubuntu 18.04, but I assume the same error messages indicate the same problem regardless. Unfortunately, that answer focuses on fixing/enabling the agent, and I want to run without it so it can't ever get forwarded and subsequently abused.
How do I convince ssh
to use the key from the config and not ask the agent for keys. Note that this connection worked fine before I killed the ssh-agent and removed it from Gnome startup. And the only thing I have added since (to no apparent effect) is the ForwardAgent line. Note that I've logged out and logged back in to ensure that there's no issue with a zombie process that came from killing the agent initially and verified that the only process running with ssh in the name is sshd (which is expected and should be unrelated).
For reference the next hop will look like this:
Host target
HostName xxx.xxx.xxx.152
user ubuntu
IdentityFile ~/clients/foo/secrets/target.key
IdentitiesOnly yes
ForwardAgent no
ProxyCommand ssh -W %h:%p bastion
And previously that was working fine too such that ssh target
asked me for successive pass-phrases for each machine and then logged me into target.
EDIT: starting ssh-agent does let me in again but that's not what I'm looking for. The failed attempts leave only Connection closed by xxx.xxx.xxx.xxx port YYYY [preauth]
in auth.log.
https://man.openbsd.org/ssh_config#IdentityAgent or
man [5] ssh_config
on your system