[Feature]: remove ForwardAgent yes from ssh_client config
cstruck opened this issue · comments
Christian Struck commented
Description
Right now when creating a ssh_client config ForwardAgent yes
is always set. This is not necessary and also imposes a security risk to the user since he would forward his ssh-agent to a from his perspective untrusted machine.
Suggested Solution
Just remove ForwardAgent yes
from the config generation
Alternatives
No response
Additional Context
The ssh_config manpage states this about ForwardAgent:
Agent forwarding should be enabled with caution. Users with the ability to
bypass file permissions on the remote host (for the agent's Unix-domain
socket) can access the local agent through the forwarded connection. An
attacker cannot obtain key material from the agent, however they can perform
operations on the keys that enable them to authenticate using the identities
loaded into the agent.