ssh-agent use in different security domains

Saku Ytti saku at
Thu Oct 27 06:15:41 EST 2011

On 26 October 2011 22:10, Daniel Kahn Gillmor <dkg at> wrote:

> no, if you do not forward your agent (that is, if you do not enable
> ForwardAgent), the machine you connect to cannot access the keys in your
> agent, regardless of the number of intermediate hops.

Let's not discuss this, let's just assume situation where you do need to jump
between multiple hosts in two different security domains.
If there is usage scenario for ForwardAgent, there is usage scenario for
ForwardAgent in multiple security domains.

> By default ForwardAgent should be set to "no" in ssh_config.  If you run
> a distribution that has ForwardAgent set to "yes" by default, please
> inform them that it should *always* default to "no".  This would be a
> serious bug.

No, I've not ran into one. And this thread is exactly because I need to
now add agent towards another domain, to which I don't want to expose
my domain1 keys.


More information about the openssh-unix-dev mailing list