SSH agent-forwarding: Going barefoot (socket-less)

Would you really wear sockets with flip-flops to walk on a nice sandy beach? The same thing goes with SSH agent-forwarding: using a socket can sometimes be inappropriate.

What is SSH agent-forwarding?

SSH agent-forwarding – to keep it short, it is a mechanism providing a major advantage to a system administrator. Thanks to a local agent, users can connect to a remote server by bouncing on an intermediate server using their own private key, stored only on their computer.

But the question is:

Why would you access a server by bouncing on an intermediate server?

The answer is pretty simple. If you consider the security problem posed by external connections, it’s easy to recognize that no reasonable IT manager would allow direct connections to critical resources from the internet.

The SSH agent-forwarding mechanism allows users to connect smoothly to a server by bouncing on an intermediate one and without storing the user’s private key on this intermediate server.

SSH agent-forwarding can open the door to cyber-attacks

So, circling back to the footwear topic, SSH agent-forwarding presents a vulnerability A socket is open on the intermediate server, which represents an important vulnerability.

The socket created through SSH agent-forwarding is a well-known vulnerability.

To understand this, let’s decompose the process:

  1. An agent runs on your local computer. This agent has access to the private key to handle forward authentication.
  2. The user connects to the bouncing server, specifies that this connection can be used to bounce on another server, and uses the private key to authenticate.
  3. The user connects from the bouncing server to the final server thanks to the private key.

ssh-agent-forwarding-socket-mechanism.png

What makes the socket vulnerable? A malicious user authenticated on the bouncing system can easily divert the socket to impersonate the original user and connect to authorized servers.

WALLIX Bastion: the ideal solution to SSH agent-forwarding’s socket vulnerability

Let’s get practical, now.

You are the IT manager of a hospital. Some equipment such as scanners or analyzers is managed by vendors who require secure and exclusive access to that equipment. They are not willing to share the authentication keys to those critical systems. Still, you want to be able to monitor and record every action realized on the equipment, at least for compliance purposes.

WALLIX Bastion is the ideal solution to this type of challenge. Thanks to its internal agent-forwarding solution, vendors can access their equipment from the internet using their own private key and without sharing them with the Bastion. Moreover, the Bastion works as a reverse proxy, using protocol break and not providing shell access to users.

That means no socket and no vulnerability.

In addition, the WALLIX Bastion provides a full audit arsenal so that IT administrators can keep an eye (or 4-eyes as we call it) on what is going on on their critical equipment while ensuring compliance.

ssh-agent-forwarding-socket-less-bastion-2.png

All in all, picking up the adapted footwear is that easy and can avoid serious security damage and spare your reputation.

Interested in knowing more? Contact us for a free demo!