ssh-agent use in different security domains

Saku Ytti saku at
Thu Oct 27 17:00:02 EST 2011

2011/10/27 Ángel González <keisial at>:

> What's your problem with the jumphosts solution dkg proposed?

Maybe there isn't, maybe I judged it unfairly out of being used to agent. But
quickly it seems like lot of overhead, when agent has 0 overhead once
setup, normal ssh host works just fine.

> You connect to monkey and tell monkey to tunnel a connection to banana.
> A second ssh instance is launched *in your computer* which connects to
> banana through that tunnel.
> You have two ssh instances locally and no agent forwarding (thus no
> identity thief).

Yeah I get the idea, from security POV I'm always connecting directly, thus
no need for agent traversing network. Just setting it up where you need to jump
back-and-forth often and possibly through several intermediate routers seems
bit high.


More information about the openssh-unix-dev mailing list