ssh-agent use in different security domains

[Alan Barrett]

On Thu, 27 Oct 2011, Alex Bligh wrote:
>I'm also not sure you can use ProxyCommand to use more than one 
>intermediate host in a row.

You can.  Just put this in your .ssh/config, and then run "ssh host3".
It works fine for scp too.

     Host host3
        ProxyCommand ssh -W %h:%p host2
        User user3
     Host host2
        ProxyCommand ssh -W %h:%p host1
        User user2
     Host host1
        User user1

>What I'd like to see is (and I think this is just command line 
>processing, plus possibly detection of -W support on the intermediate 
>host):
>
>  ssh --via intermediateA1.example.com
>      --via intermediateA2.example.com
>      remoteA.example.com
>
>  scp -3 --via intermediateA1.example.com
>         --via intermediateA2.example.com
>         remoteA.example.com:file
>         --via intermediateB1.example.com
>         remoteB.example.com:file

There's no need for -W support on intermediate hosts; 
the intermediate host sees a channel request that's 
(almost?) indistinguishable from what would happen with "-L".

I agree that "--via" would be a convenient command line shorthand 
for cases where you don't want to edit .ssh/config.  (Passing -O 
ProxyCommand on a command line typed by hand is cumbersome for one 
hop, and infeasible for more than one hop.)

--apb (Alan Barrett)