ssh-agent use in different security domains

Daniel Kahn Gillmor dkg at
Thu Oct 27 05:42:24 EST 2011

On 10/25/2011 06:48 AM, Saku Ytti wrote:
> On 25 October 2011 13:28, Damien Miller <djm at> wrote:
>> to another host. The risk comes in when your _forward_ your agent to a
>> potentially-untrustworthy server. If you aren't forwarding your agent
>> then you don't need to worry.
> Quite. I desire to connect from domain1-server1 to domain1-server2
> and from domain2-server1 to domain2-server2, so forwarding is needed.

To be clear: agent forwarding is *not* needed in this scenario, and in
fact it is discouraged.

The better approach to this is what many people call "jumphosts", which
allow the ssh connection to terminate on your local machine, instead of
having the endpoint on the gateway machine.

so this pattern is bad:

 ssh -A -t monkey.example ssh banana.example

because the if monkey is compromised, the attacker can compromise your
connection to banana, and can make use of keys in your agent.

But this connection is good:

 ssh -oProxyCommand='ssh -W %h:%p monkey.example' banana.example

because your local machine is the endpoint for both ssh sessions, and
the only thing monkey.example can see is encrypted traffic.
furthermore, your agent is not exposed to monkey at all.

(note that -W was added to ssh recently -- i think in OpenSSH 5.5, so
you'll need a recent version on your local machine -- but you can
achieve the same effect with an older version of ssh if you have netcat
or socat installed on the intermediate machine).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list