SSH Agent Forwarding
What is SSH Agent Forwarding?
SSH Agent ForwardingAn OpenSSH feature, enabled with -A or ForwardAgent yes, that exposes a UNIX socket on a remote host so commands there can use the local SSH agent to authenticate further hops.
SSH agent forwarding lets a user run ssh-agent locally and then bounce through one server to another without copying private keys. When the user connects with ForwardAgent yes, openssh creates a UNIX domain socket on the remote host (path in SSH_AUTH_SOCK) that proxies signature requests back to the local agent. The risk is that anyone with root on the remote host can hijack this socket and make signature requests on behalf of the user against any reachable target, until the session ends. High-profile incidents (matrix.org 2019, GitHub.com supply-chain warnings) have led to the recommendation to prefer ProxyJump (-J), SSH certificates with short TTL, or hardware-backed keys (FIDO ed25519-sk), and to set IdentityAgent or ssh-agent confirm prompts when forwarding is unavoidable.
● Examples
- 01
An attacker with root on a jump host using SSH_AUTH_SOCK to sign authentication for downstream production servers.
- 02
Replacing ssh -A admin@jump with ssh -J jump admin@target so that the private key never reaches the jump host.
● Frequently asked questions
What is SSH Agent Forwarding?
An OpenSSH feature, enabled with -A or ForwardAgent yes, that exposes a UNIX socket on a remote host so commands there can use the local SSH agent to authenticate further hops. It belongs to the Network Security category of cybersecurity.
What does SSH Agent Forwarding mean?
An OpenSSH feature, enabled with -A or ForwardAgent yes, that exposes a UNIX socket on a remote host so commands there can use the local SSH agent to authenticate further hops.
How does SSH Agent Forwarding work?
SSH agent forwarding lets a user run ssh-agent locally and then bounce through one server to another without copying private keys. When the user connects with ForwardAgent yes, openssh creates a UNIX domain socket on the remote host (path in SSH_AUTH_SOCK) that proxies signature requests back to the local agent. The risk is that anyone with root on the remote host can hijack this socket and make signature requests on behalf of the user against any reachable target, until the session ends. High-profile incidents (matrix.org 2019, GitHub.com supply-chain warnings) have led to the recommendation to prefer ProxyJump (-J), SSH certificates with short TTL, or hardware-backed keys (FIDO ed25519-sk), and to set IdentityAgent or ssh-agent confirm prompts when forwarding is unavoidable.
How do you defend against SSH Agent Forwarding?
Defences for SSH Agent Forwarding typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SSH Agent Forwarding?
Common alternative names include: ForwardAgent, ssh -A.
● Related terms
- network-security№ 1089
SSH Key Types
The asymmetric key algorithms accepted by OpenSSH for user and host authentication: RSA, ECDSA (NIST curves), and the modern default Ed25519.
- network-security№ 594
known_hosts File
An OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack.
- identity-access№ 414
FIDO2
An open authentication standard from the FIDO Alliance combining WebAuthn (browser API) and CTAP (authenticator protocol) to enable phishing-resistant, passwordless sign-in.
- identity-access№ 861
Privileged Access Management (PAM)
A set of practices and tools that secure, control, monitor, and audit access to accounts and systems with elevated administrative privileges.
- defense-ops№ 606
Lateral Movement
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
- network-security№ 1087
SSH
A cryptographic network protocol (RFC 4251, port 22) that provides authenticated, encrypted, and integrity-protected remote login, command execution, and tunneling over an untrusted network.