ssh-agent use in different security domains
saku at ytti.fi
Thu Oct 27 16:58:07 EST 2011
On 26 October 2011 23:52, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> I suppose i'm arguing right now that the only legitimate usage scenario
> for ForwardAgent is when the user doesn't understand how to use
> ProxyCommand for a jumphost.
> I'd rather streamline the jumphost case than add extra cruft that might
> encourage users to forward their agent.
I sometimes need to jump from several intermediate routers and it seems to
me there is somewhat large overhead (as of today) on using it.
I might be in domain2-server1 and need to jump back and forth on several
domain2 servers, and sometimes not even directly from server1 to serverN
but server7 might only be reachable from server3 or so.
I suppose ProxyCommand is easier to fix, as it requires no protocol
changes, and I'm certainly biased as I've used agent lot, but not
ProxyCommand. Just hard to imagine how to make it as unobtrusive
as ssh-agent, only thing ssh-agent really is missing (and only thing makes
it insecure) is not having any idea who is requesting the signing.
More information about the openssh-unix-dev