Transferring files between servers on a private network?

Steve Dondley sdondley at gmail.com
Thu Dec 10 06:49:13 AEDT 2020


Very interesting food for thought. So let me make sure I understand what I
need to do here as I try to reverse 2 decades of cluelessness (I literally
never heard of agent forwarding until last night):

So I'll add the pem file with ssh-add on my local machine and then I'll be
able to log into C and then once in C I can run the scp command to move
files between B and A via the private network. Have I got that right?



On Wed, Dec 9, 2020 at 2:39 PM Brian Candler <b.candler at pobox.com> wrote:

> On 09/12/2020 18:45, Steve Dondley wrote:
> > Ok, thanks for the insight.
> >
> > Yeah, I was trying to avoid agent forwarding because of the advice
> > I've seen to avoid it, if possible.
>
> As far as I know, you'd mainly want to avoid it if you don't trust the
> left-hand machine (i.e. the source, the one you called "B").  A
> malicious administrator on that host could connect to your agent socket
> and authenticate, as you, to any other machine that trusts your key.
>
> But to be honest, if a machine is malicious, I wouldn't want to ssh into
> it in the first place.  It could do plenty of other nasty things, such
> as logging my keystrokes.
>
> >
> > Only other method I can think of is to have a third machine, machine
> > C, that is only available on the private network and contains the
> > private key for all the other machines. So I'd log into machine C via
> > some bastion/jump server. Machine C would hold the private the
> > key used by machine B and machine A and I could use it to transfer
> > files between machines A and B.
>
> Copying your private key onto other machines is, in general, way less
> secure than using agent forwarding.
>
> You could ssh to C (that you trust), with agent forwarding enabled, and
> use it to third-party copy between B and A (*without* enabling agent
> forwarding from C to B or C to A)
>
>
>

-- 
Prometheus Labor Communications, Inc.
http://prometheuslabor.com
413-572-1300

UnionConnect Phone App for Labor Unions
http://unionconnect.com


More information about the openssh-unix-dev mailing list