:: Re: [DNG] Using ssh-agent in multip…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDidier Kryn at <-
MDidier Kryn at ->
Delete this message
Reply to this message
Author: Lars Noodén
Date:  
To: dng
Subject: Re: [DNG] Using ssh-agent in multiple logins
On 3/30/26 16:28, Didier Kryn wrote:
> Le 30/03/2026 à 12:30, Didier Kryn a écrit :
>> Le 29/03/2026 à 16:44, R A Montante, Ph.D. via Dng a écrit :
>>>> Date: Sun, 29 Mar 2026 01:25:52 +1100
>>>> From: Tom<wirelessduck@???>
>>>> Subject: [DNG] Using ssh-agent in multiple logins
>>>>
>>>> I'm trying to learn how to use ssh-agent.  I followed the instructions
>>>> athttps://www.ssh.com/academy/ssh/agent.
>>>>
>>>> I have a remote machine that I login to over ssh from my desktop and
>>>> want to run ssh-agent on this remote machine for further connections to
>>>> other machines in a remote network.
>>>
>>> Perhaps I'm missing the point --- are you trying to login to other
>>> remote machines, or understand "ssh-agent"? If the goal is to login
>>> to other remote machines, you can configure the "first" remote ssh
>>> daemon to forward connections to other ones. I used this to tunnel
>>> through a firewall when I had one Internet-visible machine and a set
>>> of internal-only machines.
>>>
>>>
>>     Yes. And you can do that by editing ~/.ssh/config
>>
>>
>     Example:
>
> Host *
>    PubkeyAuthentication yes
>    ForwardAgent yes
>    ForwardX11 yes
>    StrictHostKeyChecking no
Or with ProxyJump (-J) instead: 

Host outer
    Hostname bastion.example.org
    IdentityFile some_key.ed25519
    User foo


Host inner
    Hostname 192.168.1.16
    IdentityFile another_key.ed25519
    ProxyJump outer
    User bar

    
Host *
    IdentitiesOnly yes


Then you can enter `ssh inner` from anywhere on the net where
bastion.example.org is accessible from and pass through it to the inner
system. The number of jumps can be arbitrarily many. No agents need to
be forwarded, nor do any keys need to be stored on remote systems, and
the traffic passing through the intermediate hosts remains fully encrypted.

In contrast, with agent forwarding if (when) passing through a
compromised system, an attacker can exploit the forwarded agent socket
to log in on their own as long as the session is open. See:

"The pitfalls of using ssh-agent, or how to use an agent safely"
https://rabexc.org/posts/pitfalls-of-ssh-agents

Also, StrictHostKeyChecking should be "yes"

/Lars
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] An Anti-InitsystemRe: [DNG] Using ssh-agent in multiple logins->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)