[GTALUG] SSH Agent Forwarding
D. Hugh Redelmeier
hugh at mimosa.com
Thu Dec 17 22:59:28 UTC 2015
| From: Giles Orr <gilesorr at gmail.com>
| So I see that agent forwarding might be unwise if you don't trust the
| administrator or the machine is compromised (and yes, you can never be
| sure a machine is secure), but if you're worried about the security of
| the remote host, storing private keys on it and reauthenticating seems
| worse. Am I missing something?
You could have a more limited identity on C for which you are willing
to disclose enough on B so that it can authenticate with C.
Your Identity on A is all powerful. You can SSH to B, proving you
have this identity.
You can ssh from B to C with a weaker identity. But, of course, the
private key then needs to be on B (or you use a password, not really better).
I don't recommend it, I just note it.
More information about the talk
mailing list