Agent forwarding for egress connections

[N-Mi]

Hello,

I have customers for which I need to connect on their servers from TheBastion. I sent them the egress key, and they added it to their servers. So far, so good.
The problem is they also have a SSH bastion (not running TheBastion), and all connections must go through it, and they expect the authentication to be done using agent forwarding.

To resume :
PC -> Our Bastion -> Customer Bastion -> Customer Server

The connection is OK to customer's Bastion, but then trying to connect to a server fails because there is no ssh-agent running on our Bastion, so the key challenge can never be answered.

Enabling ForwardAgent and/or AllowAgentForwarding in SSH configuration on our Bastion host is not useful, as it would be using the agent running on the PC and knowing only the ingress key, not the egress key.

Is there a way to do agent forwarding with TheBastion, or is it a feature request ?

[speed47]

Hello,

This is not currently supported, but can be added, as ssh-agent supports starting a subprocess (which would be ttyrec then the ssh client to establish the egress connection in our case), and not only running as a user-wide daemon.

[bragonznx]

@speed47 Do you want us to look after it with @madchrist ? Or do you take care of this feature ?

[speed47]

Hey @bragonznx, yes you can have a look into it if you have some available time!

The way I see it, this could be an option (in --long-help) that users could add when wanting to connect to a remote server where they know ssh-agent forwarding is required. In that case the ttyrec command would be prefixed with ssh-agent -t 60 (or something like that), and the ssh command should include -o AddKeysToAgent=yes so that the egress key(s) is/are properly added to the parent agent. I think we may also want to have a global option in bastion.conf to allow or deny it by policy (said option would be unavailable if the policy is disabled, which could be the default).