hubert depesz lubaczewski
2015-Oct-16 10:46 UTC
Is there any solution, or even work on, limiting which keys gets forwarded where?
On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote:> if the intermediary machine (the "jumphost") is jumphost.example, and > you are trying to reach bar.example.com (which is behind the firewall), > you would do: > ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.comWe use jump host, but there are literally hundreds of hosts behind it. And since I often need to run things on multiple hosts, I ssh to jump host, start tmux session, and ssh from there wherever I need. Not to mention that in case like above, I would have to type the password to key two times, which is complicated, to put it lightly, as I use very long, very secure passphrases.> Another approach, if you find you must forward your agent, is to load > all keys in your agent with confirmation prompt required (ssh-add -c) > so that your local machine is still in control of when the different > keys get used.Yeah, but that will (from what I understand from man) re-ask for my password, which is highly impractical given the above passphrase situation. Best regards, depesz
Peter Stuge
2015-Oct-16 14:33 UTC
Is there any solution, or even work on, limiting which keys gets forwarded where?
hubert depesz lubaczewski wrote:> > Another approach, if you find you must forward your agent, is to load > > all keys in your agent with confirmation prompt required (ssh-add -c) > > so that your local machine is still in control of when the different > > keys get used. > > Yeah, but that will (from what I understand from man) re-ask for my > password, which is highly impractical given the above passphrase > situation.You should try it out. No, the agent on your client only asks for confirmation to use the key (enter=yes, type anything+enter=no) not for the passphrase. //Peter
Ángel González
2015-Oct-19 23:31 UTC
Is there any solution, or even work on, limiting which keys gets forwarded where?
On 16/10/15 12:46, hubert depesz lubaczewski wrote:> On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote: >> > if the intermediary machine (the "jumphost") is jumphost.example, and >> > you are trying to reach bar.example.com (which is behind the firewall), >> > you would do: >> > ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.com > We use jump host, but there are literally hundreds of hosts behind it. > And since I often need to run things on multiple hosts, I ssh to jump > host, start tmux session, and ssh from there wherever I need.You can run tmux locally. Don't worry about having to add the -oProxyCommand='ssh jumphost.example -W %h:%p' each time. That can be abstracted in the ssh_config. You can simply provide the name as you used on the jumphos, but have ssh automatically connect to it "the right way". If you are concerned about having to perform two ssh logins (automatically, as performed by the key authentication) per connection, you can make it use a master ssh connection so there's a single connection to the jumphost through all the others are tunneled.
hubert depesz lubaczewski
2015-Oct-20 07:08 UTC
Is there any solution, or even work on, limiting which keys gets forwarded where?
On Tue, Oct 20, 2015 at 01:31:46AM +0200, ?ngel Gonz?lez wrote:> On 16/10/15 12:46, hubert depesz lubaczewski wrote: > >On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote: > >>> if the intermediary machine (the "jumphost") is jumphost.example, and > >>> you are trying to reach bar.example.com (which is behind the firewall), > >>> you would do: > >>> ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.com > >We use jump host, but there are literally hundreds of hosts behind it. > >And since I often need to run things on multiple hosts, I ssh to jump > >host, start tmux session, and ssh from there wherever I need. > You can run tmux locally. Don't worry about having to add the > > -oProxyCommand='ssh jumphost.example -W %h:%p' each time. That can be abstracted > in the ssh_config. You can simply provide the name as you used on the jumphos, but > have ssh automatically connect to it "the right way".If I run tmux locally, and my network connection dies, then I lose what I was doing on remote host. Tmux is there to protect me from losing work (let's say, in the middle of datbase upgrade) due to network issues).> If you are concerned about having to perform two ssh logins (automatically, as > performed by the key authentication) per connection, you can make it use a master > ssh connection so there's a single connection to the jumphost through all the others > are tunneled.I'm concerned about safety (someone having access to my agent socket, shouldn't really have access to all my keys), and convenience (not having to retype the password every time). Best regards, depesz -- The best thing about modern society is how easy it is to avoid contact with it. http://depesz.com/
Apparently Analagous Threads
- Is there any solution, or even work on, limiting which keys gets forwarded where?
- Is there any solution, or even work on, limiting which keys gets forwarded where?
- Is there any solution, or even work on, limiting which keys gets forwarded where?
- Re: Newbie question about network setup
- Newbie question about network setup