ssh-agent use in different security domains

Alan Barrett apb at
Fri Feb 24 23:26:07 EST 2012

On Fri, 24 Feb 2012, Saku Ytti wrote:
>> With ProxyCommand, you'd just do:
>> a% ssh c scp file d:
>> and the intermediate step of hopping through b would be handled by a
>> ProxyCommand setting in your .ssh/config file:
>>    Host c
>>        ProxyCommand ssh -W %h:%p b
>Curious. I need some cluebat, how does the key authentication work here.
>D needs key which is only in a, but d is asking for it from c, is it not?
>There is no magic lines for c<->d connectivity.

Oh, I didn't understand that the C->D commenction needed a key 
from A.  Even so, you could forward the agent connection from A 
to C, and allow C to use the agent's key to connect to D, without 
needing to expose the agent to B.

--apb (Alan Barrett)

More information about the openssh-unix-dev mailing list