:: Re: [DNG] Using ssh-agent in multip…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MLars Noodén at <-
MLars Noodén at ->
Delete this message
Reply to this message
Author: Didier Kryn
Date:  
To: dng
Subject: Re: [DNG] Using ssh-agent in multiple logins
Le 01/04/2026 à 15:39, Lars Noodén via Dng a écrit :
> On 3/30/26 16:28, Didier Kryn wrote:
>> Le 30/03/2026 à 12:30, Didier Kryn a écrit :
>>> Le 29/03/2026 à 16:44, R A Montante, Ph.D. via Dng a écrit :
>>>>> Date: Sun, 29 Mar 2026 01:25:52 +1100
>>>>> From: Tom<wirelessduck@???>
>>>>> Subject: [DNG] Using ssh-agent in multiple logins
>>>>>
>>>>> I'm trying to learn how to use ssh-agent.  I followed the
>>>>> instructions
>>>>> athttps://www.ssh.com/academy/ssh/agent.
>>>>>
>>>>> I have a remote machine that I login to over ssh from my desktop and
>>>>> want to run ssh-agent on this remote machine for further
>>>>> connections to
>>>>> other machines in a remote network.
>>>>
>>>> Perhaps I'm missing the point --- are you trying to login to other
>>>> remote machines, or understand "ssh-agent"? If the goal is to login
>>>> to other remote machines, you can configure the "first" remote ssh
>>>> daemon to forward connections to other ones. I used this to tunnel
>>>> through a firewall when I had one Internet-visible machine and a
>>>> set of internal-only machines.
>>>>
>>>>
>>>     Yes. And you can do that by editing ~/.ssh/config
>>>
>>>
>>      Example:
>>
>> Host *
>>     PubkeyAuthentication yes
>>     ForwardAgent yes
>>     ForwardX11 yes
>>     StrictHostKeyChecking no
> Or with ProxyJump (-J) instead:
>
> Host outer
>     Hostname bastion.example.org
>     IdentityFile some_key.ed25519
>     User foo
>
> Host inner
>     Hostname 192.168.1.16
>     IdentityFile another_key.ed25519
>     ProxyJump outer
>     User bar
>
> Host *
>     IdentitiesOnly yes
>
> Then you can enter `ssh inner` from anywhere on the net where
> bastion.example.org is accessible from and pass through it to the
> inner system.  The number of jumps can be arbitrarily many.  No agents
> need to be forwarded, nor do any keys need to be stored on remote
> systems, and the traffic passing through the intermediate hosts
> remains fully encrypted.
>
> In contrast, with agent forwarding if (when) passing through a
> compromised system, an attacker can exploit the forwarded agent socket
> to log in on their own as long as the session is open. See:
>
> "The pitfalls of using ssh-agent, or how to use an agent safely"
> https://rabexc.org/posts/pitfalls-of-ssh-agents
>
> Also, StrictHostKeyChecking should be "yes"

    I admit my config is not the most secure, particularly concerning
the last point, but nowadays I essentialy use ssh within my home LAN --
with exceptions for git clone and git push. Nevertheless it is a simple
starting point.

    I, personally, would need a more literary and detailed explanation
to understand your inner, outer and bastion configuration.

--     Didier

This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] Using ssh-agent in multiple loginsRe: [DNG] Using ssh-agent in multiple logins->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)