[GTALUG] for multi-hop ssh/scp: option "ProxyJump"
D. Hugh Redelmeier
hugh at mimosa.com
Sun Aug 30 10:33:52 EDT 2020
| From: Scott Sullivan via talk <talk at gtalug.org>
| Dropping your public keys, and 'ForwardAgent yes' in .ssh/config in ever
| user/system along the proxy chain means you can have a single SSH command take
| you all the way to the end of the chain without being prompted for a password
| at each hop.
I felt guilty leaving this out of my previous message:
When you do a normal SSH into a host, you are not trusting that host
much. (Of course things you actually do in your session could involve
trust.)
If you use -A (same as ForwardAgent yes), you are allowing the host to
use your private key in dealing with other hosts. If the first host
were subverted, you could be in trouble.
For that reason I use -A sparingly.
When you use -X (ForwardX11) feature, you are also trusting the host. X
isn't a particularly safe protocol. So I use this sparingly too.
In my .ssh/config:
<<<
# default dangerous things to "off" for hosts outside mimosa.com
Host *.mimosa.com
ForwardAgent yes
ForwardX11 yes
Host *
ForwardAgent no
ForwardX11 no
>>>
More information about the talk
mailing list