I have a MacBook with MacOSX Leopard (10.6.2) and I use it to connect to some servers (their O.S. is Debian Lenny) using SSH. I use RSA keys to login to server A, and from there I "bounce" to other servers B, C and D. I have activated agent forwarding in my laptop's .ssh/config for server A in order to be able to connect to A and then "bounce" from A to B, C or D without having to type my password every time. It works fine.
But I read that agent forwarding has one security flaw: if a hacker gets root access on server A, he will be able to hijack the agent forwarding mechanism and connect to servers B, C and D without any password.
Apparently, one solution is to use ssh-add's -c option: it is supposed to ask me for confirmation every time server A wants to use my RSA key. But for some reason, it fails:
miniquark@mylaptop:~$ ssh-add -c
Enter passphrase for /Users/miniquark/.ssh/id_rsa:
Identity added: /Users/miniquark/.ssh/id_rsa (/Users/miniquark/.ssh/id_rsa)
The user has to confirm each use of the key
miniquark@mylaptop:~$ ssh serverA
Agent admitted failure to sign using the key.
miniquark@serverA's password:
Normally, I don't need to launch ssh-add manually, since MacOSX does it for me automatically when I launch an ssh connection that requires an RSA key. So perhaps the solution would be to configure MacOSX to launch ssh-add with the -c option. Unfortunately, I just cannot find that option.
If you have any other idea that would protect me from agent forwarding hijacking, I would be very grateful.
Thank you.
The agent tries to run a helper program to prompt. On OS X this is not in place by default, so you'll need to provide one (at /usr/libexec/ssh-askpass). I'm currently using one similar to this:
Read this page http://jcs.org/notaweblog/2011/04/19/making_openssh_on_mac_os_x_more_secure/ for Joshua Stein's solution