Is there any solution, or even work on, limiting which keys gets forwarded where?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Oct 21 00:33:46 AEDT 2015
On Tue 2015-10-20 03:08:11 -0400, hubert depesz lubaczewski wrote:
> If I run tmux locally, and my network connection dies, then I lose what
> I was doing on remote host.
> Tmux is there to protect me from losing work (let's say, in the middle
> of datbase upgrade) due to network issues).
if you want that kind of protection, run tmux (or GNU screen) on the
remote host itself. that will protect you from outages on the jumphost
as well.
> I'm concerned about safety (someone having access to my agent socket,
> shouldn't really have access to all my keys), and convenience (not
> having to retype the password every time).
a local ssh agent, not forwarded, with a controlMaster socket for the
jumphost, and your keys loaded with confirmation prompt seems like the
solution that would solve the most problems:
~/.ssh/config:
--------------
Host jumphost.example
ControlMaster autoask
ControlPath ~/.ssh/masters/%r@%h:%p
ProxyCommand none
Host *.example
ProxyCommand ssh -W %h:%p jumphost.example
--------------
Before connecting, ensure that ssh-agent is running and do:
ssh-add -c /path/to/my/key
You'll have to type your password exactly once.
When you get a prompt for the use of your key, or a prompt to use the
control master, you can just hit "OK" or type "yes".
if your workflow is just to connect to one remote machine from your
local computer, do:
ssh -t foo.example tmux
If your workflow is to connect to multiple machines, start with:
ssh jumphost.example
and leave that session open while you do the rest of your work from your
local computer.:
ssh -t foo.example tmux
ssh -t bar.example tmux
hth,
--dkg
More information about the openssh-unix-dev
mailing list