ssh-agent use in different security domains
Saku Ytti
saku at ytti.fi
Thu Oct 27 17:00:02 EST 2011
2011/10/27 Ángel González <keisial at gmail.com>:
> What's your problem with the jumphosts solution dkg proposed?
Maybe there isn't, maybe I judged it unfairly out of being used to agent. But
quickly it seems like lot of overhead, when agent has 0 overhead once
setup, normal ssh host works just fine.
> You connect to monkey and tell monkey to tunnel a connection to banana.
> A second ssh instance is launched *in your computer* which connects to
> banana through that tunnel.
> You have two ssh instances locally and no agent forwarding (thus no
> identity thief).
Yeah I get the idea, from security POV I'm always connecting directly, thus
no need for agent traversing network. Just setting it up where you need to jump
back-and-forth often and possibly through several intermediate routers seems
bit high.
--
++ytti
More information about the openssh-unix-dev
mailing list