Although OpenSSH does not appear to fully implement
https://tools.ietf.org/html/draft-ietf-secsh-agent-02 it does seem like it implements that draft document for agent forwarding.
Assuming that that's correct than I have a few questions. If you have to "shell" channels and want to be able to do agent forwarding on either channel that you'd have to do the "auth-agent-req" channel request for each one of those channels?
I saw one implementation that created a channel for which a single channel request was ever sent - auth-agent-req. That channel was never closed and then another channel - a "shell" channel - was created. And forwarding seemed to work for that channel. ie. when an attempt was made to connect to another machine through the shell a channel open request for a "auth-agent" channel was sent to the client. Of course I'm thinking that this particular implementation just works by dumb luck and that it is, in fact, an incorrect implementation. Is that correct?
Thanks!