From 5211b1b25a001826a4f68ef2cab2c5917a71bd6b Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 4 Jun 2021 08:55:56 -0400
Subject: [PATCH] Disable agent forwarding

---
 nixos/modules/ssh.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 59ee2fec..667bdd26 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -37,6 +37,10 @@
         # password-based authentication at all.
         PermitEmptyPasswords no
 
+        # Agent forwarding is fraught.  It can be used by an attacker to
+        # leverage one compromised system into more.  Discourage its use.
+        AllowAgentForwarding no
+
         # Only allow authentication as one of the configured users, not random
         # other (often system-managed) users.  Possibly this is also
         # superfluous!  NixOS system users have nologin as their shell ... so they
-- 
GitLab