TTP Diaries: SSH Agent Hijacking

SSH Agent Hijacking is an attack where an adversary with root permissions can steal SSH private keys (encryption keys used for secure shell access) from a forwarded SSH Agent, a service that stores authentication credentials. On shared systems like jumpboxes (intermediate servers used to access other machines), an attacker can find another user's SSH_AUTH_SOCK (an environment variable pointing to the SSH Agent's communication socket) and use it to impersonate that user and access machines they have permission to reach.