ssh-agent use in different security domains

Ángel González keisial at
Thu Oct 27 08:48:10 EST 2011

Saku Ytti wrote:
> 2011/10/26 Ángel González <keisial at>:
>> Only your ssh program instance can talk with your ssh-agent, because it
>> is running locally. Without agent forwarding, programs on the other host
>> can't connect to your agent, much less use your keys.
> Quite, but question here is, when you need to have ssh-agent in two different
> security domains. How do to do it.
What's your problem with the jumphosts solution dkg proposed?

You connect to monkey and tell monkey to tunnel a connection to banana.
A second ssh instance is launched *in your computer* which connects to
banana through that tunnel.
You have two ssh instances locally and no agent forwarding (thus no
identity thief).

More information about the openssh-unix-dev mailing list