ssh-agent use in different security domains

Saku Ytti saku at ytti.fi
Fri Feb 24 23:48:21 EST 2012


On (2012-02-24 14:26 +0200), Alan Barrett wrote:
 
> Oh, I didn't understand that the C->D commenction needed a key from
> A.  Even so, you could forward the agent connection from A to C, and
> allow C to use the agent's key to connect to D, without needing to
> expose the agent to B.

What is the general feeling in SSH community on usability of agent forwarding
and proxy command?
I feel that proxy command is bit too complex and does not solve all the issues.
And agent is too insecure.

Are the issues solvable? ProxyCommand probably does solve the original question
I had in this thread, but seems not to remove all need for agent forwarding.

For ProxyCommand I's love to see syntactic sugar like this:
----
# cat >> .ssh/config
Host org1-ultimate
  path org1-firstjump, org1-secondjump
^d
# ssh org2-firstjump,org2-secondjump,org2-ultimate
# ssh org1-ultimate
----

Showing how to jump through multiple box with config or directly from CLI. I'd
like to believe this would be well received.

But this still leaves open the question how do we support this scp issue in
userfriendly way, is ProxyCommand or other such secure channel for key exchange
all it takes? Or should agent forwarding be fixed to be (more) secure?

-- 
  ++ytti


More information about the openssh-unix-dev mailing list