Is there any solution, or even work on, limiting which keys gets forwarded where?

hubert depesz lubaczewski depesz at
Fri Oct 16 21:46:44 AEDT 2015

On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote:
> if the intermediary machine (the "jumphost") is jumphost.example, and
> you are trying to reach (which is behind the firewall),
> you would do:
>  ssh -oProxyCommand='ssh jumphost.example -W %h:%p'

We use jump host, but there are literally hundreds of hosts behind it.
And since I often need to run things on multiple hosts, I ssh to jump
host, start tmux session, and ssh from there wherever I need.

Not to mention that in case like above, I would have to type the
password to key two times, which is complicated, to put it lightly, as
I use very long, very secure passphrases.

> Another approach, if you find you must forward your agent, is to load
> all keys in your agent with confirmation prompt required (ssh-add -c)
> so that your local machine is still in control of when the different
> keys get used.

Yeah, but that will (from what I understand from man) re-ask for my
password, which is highly impractical given the above passphrase

Best regards,


More information about the openssh-unix-dev mailing list