ssh-agent use in different security domains

Alan Barrett apb at
Thu Oct 27 17:42:33 EST 2011

On Thu, 27 Oct 2011, Saku Ytti wrote:
>> What's your problem with the jumphosts solution dkg proposed?
> Maybe there isn't, maybe I judged it unfairly out of being used 
> to agent. But quickly it seems like lot of overhead, when agent 
> has 0 overhead once setup, normal ssh host works just fine.

Once you add a fewlines to your .ssh/config, normal "ssh host" works
fine with ProxyCommand too.  Just add this to .ssh/config:

     Host target.example
         ProxyCommand ssh -W %h:%p user at intermediary.example

and then you can simnply run "ssh target.example" and the right thing
will happen: behind the scenes, it will run "ssh -W target.example:22
user at intermediary.example" (which will use your ssh agent if
appropriate), and then it will tunnel a connection to target.example
using the channel through intermediary.example (which will again use
your ssh agent if appropriate).

Sure, you'll use a little more CPU and network resources
than with

     ssh user at intermediary.example ssh user at target.example

but you probably won't notice the difference, and it's easier and 

It used to be difficult to write ProxyCommand scripts that did not 
rely on special software on the intermediary host, but now "ssh 
-W" makes it so easy.  (I wrote a >100 line perl script several 
years ago to provide the interface that "ssh -W" provides today; 
it had to loop searching for an available local TCP port to use, 
run a child ssh process with an appropriate "-L" option, run 
another process to copy stdin/stdout to/from the local TCP port, 
and it needed to carefully clean up after a signal.)

--apb (Alan Barrett)

More information about the openssh-unix-dev mailing list