Bug 1936 - -A command not available from ~C
Summary: -A command not available from ~C
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 5.8p1
Hardware: All All
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-12 04:57 AEST by Alain Knaff
Modified: 2011-09-12 18:49 AEST (History)
1 user (show)

See Also:


Attachments
Allow agent forwarding to be toggled off (2.43 KB, patch)
2011-09-12 09:16 AEST, Darren Tucker
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alain Knaff 2011-09-12 04:57:19 AEST
In an active ssh session, it is possible to escape to an internal command processor using ~C.
This may be used (mainly) to set up port forwarding.

However, it would be useful if it were also possible to switch on (or off) agent forwarding this way.

Indeed, for security reason, many users prefer not to allow agent forwarding most of the time, but may occasionally see a need to ssh from the current server to another server during the session using agent forwarding. Right now they have to open a new session to do so.
Comment 1 Darren Tucker 2011-09-12 09:16:49 AEST
Created attachment 2082 [details]
Allow agent forwarding to be toggled off

I actually implemented this a long time ago as a toggle rather than the command line processor.  The down side is that you'll get an error message from the remote end if you use it and then attempt to use agent forwarding:

Error reading response length from authentication socket.

Note that you can't toggle it on if it was not enabled at connection establishment since the server needs to set the SSH_AUTH_SOCK environment variable and have it propagate to the shell, which it can't do after the shell has started.
Comment 2 Darren Tucker 2011-09-12 09:34:00 AEST
Actually, we could probably fix the error message by implementing just enough of the agent protocol to say "nope, no identities here, move along!".
Comment 3 Darren Tucker 2011-09-12 10:28:23 AEST
The other thing you can do is load the key with ssh-add -c to require confirmation at the time of use.
Comment 4 Alain Knaff 2011-09-12 18:49:18 AEST
This would be rather inconvenient if the command needing access to the key was something like:

for arch in i386 x86_64 arm powerpc; do
  scp huge_source_tree.tar.gz $arch.linux.org:
done

You'd get a confirmation request for each machine. With a toggle switch, you'd give access before the loop, and remove access after.