Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 24: Exploiting OpenSSH Agent Forwarding

by | May 2, 2025 | 0 comments

Objective: Learn to exploit SSH agent forwarding to escalate privileges or perform unauthorized actions on remote systems, and understand how to mitigate such risks.

Scenario: SSH agent forwarding is a convenience feature that allows users to authenticate to additional servers through a remote machine without re-entering their private key passphrase. Misusing this feature can allow attackers with access to a compromised machine to exploit the forwarded agent for unauthorized actions. Your task is to exploit agent forwarding and secure SSH configurations to mitigate this risk.

Lab Setup

  1. Environment:
    • Two Linux systems: an intermediate server and a target server.
    • An SSH agent set up with a private key.
  2. Tools Required:
    • ssh command.
    • ssh-add for managing the SSH agent.
    • Access to both systems for testing.

Lab Steps

Step 1: Set Up the SSH Agent

  1. Start the SSH agent: eval $(ssh-agent)
  2. Add your private key to the agent: ssh-add ~/.ssh/id_rsa
    • Verify that the key has been added: ssh-add -l
  3. Connect to the intermediate server with agent forwarding enabled: ssh -A user@intermediate-server
    • Replace user@intermediate-server with the appropriate credentials.

Step 2: Exploit Agent Forwarding

  1. On the intermediate server, list available keys through the forwarded agent: ssh-add -l
  2. Use the forwarded agent to connect to the target server: ssh user@target-server
    • Replace user@target-server with valid credentials.
  3. Perform unauthorized actions on the target server using the forwarded agent for authentication.
  4. Optional: Monitor SSH activity on the target server to confirm the exploitation.

Step 3: Analyze the Exploit

  1. Verify actions performed on the target server without the need for the private key or passphrase.
  2. Understand how the forwarded agent was used for authentication.

Solution

Explanation:

  • SSH agent forwarding allows authentication without transferring private keys. Attackers who gain access to the intermediate server can abuse the forwarded agent to authenticate to additional servers.

Prevention:

  1. Disable Agent Forwarding:
    • Set ForwardAgent no in the SSH client configuration (~/.ssh/config): Host * ForwardAgent no
  2. Use Agent Restrictions:
    • Use OpenSSH’s agent restrictions feature to limit the agent’s scope: ssh -o "PermitRemoteOpen=target-server" -A user@intermediate-server
  3. Limit Key Use:
    • Use separate keys for specific servers to minimize exposure.
    • Mark keys as restricted: ssh-add -c ~/.ssh/id_rsa
  4. Monitor and Audit Access:
    • Log SSH connections and forwarded agent usage: sudo tail -f /var/log/auth.log

Testing and Verification

  1. Re-attempt exploitation after disabling agent forwarding to confirm the mitigation.
  2. Test agent restrictions to ensure they limit the scope of forwarded keys.
  3. Verify that SSH connections work as intended without exposing the agent unnecessarily.

Reflection

This exercise demonstrates the risks of SSH agent forwarding and how it can be exploited to access additional systems. By completing this lab, you’ve gained practical experience in identifying and mitigating these risks to enhance the security of SSH-based authentication.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *