:: Re: [DNG] Using ssh-agent in multip…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDidier Kryn at <-
M 
Delete this message
Reply to this message
Author: Lars Noodén
Date:  
To: dng
Subject: Re: [DNG] Using ssh-agent in multiple logins
On 4/1/26 17:20, Didier Kryn wrote:
> Le 01/04/2026 à 15:39, Lars Noodén via Dng a écrit :
[snip]
>> Host outer
>>     Hostname bastion.example.org
>>     IdentityFile some_key.ed25519
>>     User foo
>>
>> Host inner
>>     Hostname 192.168.1.16
>>     IdentityFile another_key.ed25519
>>     ProxyJump outer
>>     User bar
>>
>> Host *
>>     IdentitiesOnly yes
>>
>> Then you can enter `ssh inner` from anywhere on the net where
>> bastion.example.org is accessible from and pass through it to the
>> inner system.
[snip]
>
>     I, personally, would need a more literary and detailed explanation
> to understand your inner, outer and bastion configuration.

In the example above, 192.168.1.16 is the destination, but it is on a
LAN and not Internet-facing. It accessible externally only via
bastion.example.org which is on the same LAN and also available via the
open Internet. That Internet-facing bastion host is available both via
the shortcut `ssh outer` and `ssh bastion.example.org`, either one
works, but the former provides some presets such as key name and user
name. Same for "inner". If you were on the same LAN, you could just
enter `ssh 192.168.1.16` but out on the Internet, you have to pass
through bastion.example.org instead. That's where the ProxyJump
directive comes into play instead of agent forwarding. By using the
shortcut "inner" with the above settings you have an encrypted pass
through via "outer" to "inner" with the user names and key names which
apply to each host.

Various forwardings can be specified there too.

The IdentitiesOnly directive is there so that the local agent tries only
the designated key and no others. Otherwise, if you have a bunch of
keys already loaded into the agent it will try them in an unpredicable
order and likely try some irrelevant keys first causing you to hit the
limit for failed logins before it gets around to the right key.

The configuration directives are taken in the order they are found in
the file. So specifics have to come before generalities. Thus the *
goes at the end of the file.

/Lars
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] Using ssh-agent in multiple loginsRe: [DNG] An Anti-Initsystem->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)