Transferring files between servers on a private network?
Brian Candler
b.candler at pobox.com
Thu Dec 10 06:39:32 AEDT 2020
On 09/12/2020 18:45, Steve Dondley wrote:
> Ok, thanks for the insight.
>
> Yeah, I was trying to avoid agent forwarding because of the advice
> I've seen to avoid it, if possible.
As far as I know, you'd mainly want to avoid it if you don't trust the
left-hand machine (i.e. the source, the one you called "B"). A
malicious administrator on that host could connect to your agent socket
and authenticate, as you, to any other machine that trusts your key.
But to be honest, if a machine is malicious, I wouldn't want to ssh into
it in the first place. It could do plenty of other nasty things, such
as logging my keystrokes.
>
> Only other method I can think of is to have a third machine, machine
> C, that is only available on the private network and contains the
> private key for all the other machines. So I'd log into machine C via
> some bastion/jump server. Machine C would hold the private the
> key used by machine B and machine A and I could use it to transfer
> files between machines A and B.
Copying your private key onto other machines is, in general, way less
secure than using agent forwarding.
You could ssh to C (that you trust), with agent forwarding enabled, and
use it to third-party copy between B and A (*without* enabling agent
forwarding from C to B or C to A)
More information about the openssh-unix-dev
mailing list