Is there any solution, or even work on, limiting which keys gets forwarded where?

Philip Hands phil at hands.com
Tue Oct 20 19:56:27 AEDT 2015


hubert depesz lubaczewski <depesz at depesz.com> writes:

> On Tue, Oct 20, 2015 at 01:31:46AM +0200, Ángel González wrote:
>> On 16/10/15 12:46, hubert depesz lubaczewski wrote:
>> >On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote:
>> >>>  if the intermediary machine (the "jumphost") is jumphost.example, and
>> >>>  you are trying to reach bar.example.com (which is behind the firewall),
>> >>>  you would do:
>> >>>    ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.com
>> >We use jump host, but there are literally hundreds of hosts behind it.
>> >And since I often need to run things on multiple hosts, I ssh to jump
>> >host, start tmux session, and ssh from there wherever I need.
>> You can run tmux locally. Don't worry about having to add the
>> 
>> -oProxyCommand='ssh jumphost.example -W %h:%p' each time. That can be abstracted
>> in the ssh_config. You can simply provide the name as you used on the jumphos, but
>> have ssh automatically connect to it "the right way".
>
> If I run tmux locally, and my network connection dies, then I lose what
> I was doing on remote host.
> Tmux is there to protect me from losing work (let's say, in the middle
> of datbase upgrade) due to network issues).
>
>> If you are concerned about having to perform two ssh logins (automatically, as
>> performed by the key authentication) per connection, you can make it use a master
>> ssh connection so there's a single connection to the jumphost through all the others
>> are tunneled.
>
> I'm concerned about safety (someone having access to my agent socket,
> shouldn't really have access to all my keys), and convenience (not
> having to retype the password every time).

The way to address that concern is to never forward the agent off of the
local machine (which can be acheived via the ProxyCommand approach),
then you don't even have to consider which remote hosts you trust with
which keys.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151020/e1fdedb8/attachment.bin>


More information about the openssh-unix-dev mailing list