Skip to content

[AD REMOVED]

Summary

What can you do if you discover inside the /etc/ssh_config or inside $HOME/.ssh/config configuration this:

ForwardAgent yes

If you are root inside the machine you can probably access any ssh connection made by any agent that you can find in the /tmp directory

Impersonate Bob using one of Bob's ssh-agent:

SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston

Why does this work?

When you set the variable SSH_AUTH_SOCK you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it.

As the private key is saved in the memory of the agent uncrypted, I suppose that if you are Bob but you don't know the password of the private key, you can still access the agent and use it.

Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key.

Long explanation and exploitation

Check the original research here

[AD REMOVED]

All content on this page is from HackTricks, which belongs to Carlos Polop and is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license unless otherwise specified. This page is generated from the HackTricks wiki and just has the ads removed.