ssh-agent use in different security domains
Alan Barrett
apb at cequrux.com
Thu Oct 27 17:42:33 EST 2011
On Thu, 27 Oct 2011, Saku Ytti wrote:
>> What's your problem with the jumphosts solution dkg proposed?
>
> Maybe there isn't, maybe I judged it unfairly out of being used
> to agent. But quickly it seems like lot of overhead, when agent
> has 0 overhead once setup, normal ssh host works just fine.
Once you add a fewlines to your .ssh/config, normal "ssh host" works
fine with ProxyCommand too. Just add this to .ssh/config:
Host target.example
ProxyCommand ssh -W %h:%p user at intermediary.example
and then you can simnply run "ssh target.example" and the right thing
will happen: behind the scenes, it will run "ssh -W target.example:22
user at intermediary.example" (which will use your ssh agent if
appropriate), and then it will tunnel a connection to target.example
using the channel through intermediary.example (which will again use
your ssh agent if appropriate).
Sure, you'll use a little more CPU and network resources
than with
ssh user at intermediary.example ssh user at target.example
but you probably won't notice the difference, and it's easier and
safer.
It used to be difficult to write ProxyCommand scripts that did not
rely on special software on the intermediary host, but now "ssh
-W" makes it so easy. (I wrote a >100 line perl script several
years ago to provide the interface that "ssh -W" provides today;
it had to loop searching for an available local TCP port to use,
run a child ssh process with an appropriate "-L" option, run
another process to copy stdin/stdout to/from the local TCP port,
and it needed to carefully clean up after a signal.)
--apb (Alan Barrett)
More information about the openssh-unix-dev
mailing list