Brian Candler
2020-Dec-09 19:39 UTC
Transferring files between servers on a private network?
On 09/12/2020 18:45, Steve Dondley wrote:> Ok, thanks for?the insight. > > Yeah, I was trying to avoid agent forwarding?because of the advice > I've seen to?avoid it, if possible.As far as I know, you'd mainly want to avoid it if you don't trust the left-hand machine (i.e. the source, the one you called "B").? A malicious administrator on that host could connect to your agent socket and authenticate, as you, to any other machine that trusts your key. But to be honest, if a machine is malicious, I wouldn't want to ssh into it in the first place.? It could do plenty of other nasty things, such as logging my keystrokes.> > Only other method I can think of is to have a third machine, machine > C, that is only available?on the private network and contains the > private key for all the other machines. So I'd log into machine C via > some bastion/jump server. Machine C would hold the private the > key?used by machine B and machine A and I could use it to transfer > files between machines A and B.Copying your private key onto other machines is, in general, way less secure than using agent forwarding. You could ssh to C (that you trust), with agent forwarding enabled, and use it to third-party copy between B and A (*without* enabling agent forwarding from C to B or C to A)
Steve Dondley
2020-Dec-09 19:49 UTC
Transferring files between servers on a private network?
Very interesting food for thought. So let me make sure I understand what I need to do here as I try to reverse 2 decades of cluelessness (I literally never heard of agent forwarding until last night): So I'll add the pem file with ssh-add on my local machine and then I'll be able to log into C and then once in C I can run the scp command to move files between B and A via the private network. Have I got that right? On Wed, Dec 9, 2020 at 2:39 PM Brian Candler <b.candler at pobox.com> wrote:> On 09/12/2020 18:45, Steve Dondley wrote: > > Ok, thanks for the insight. > > > > Yeah, I was trying to avoid agent forwarding because of the advice > > I've seen to avoid it, if possible. > > As far as I know, you'd mainly want to avoid it if you don't trust the > left-hand machine (i.e. the source, the one you called "B"). A > malicious administrator on that host could connect to your agent socket > and authenticate, as you, to any other machine that trusts your key. > > But to be honest, if a machine is malicious, I wouldn't want to ssh into > it in the first place. It could do plenty of other nasty things, such > as logging my keystrokes. > > > > > Only other method I can think of is to have a third machine, machine > > C, that is only available on the private network and contains the > > private key for all the other machines. So I'd log into machine C via > > some bastion/jump server. Machine C would hold the private the > > key used by machine B and machine A and I could use it to transfer > > files between machines A and B. > > Copying your private key onto other machines is, in general, way less > secure than using agent forwarding. > > You could ssh to C (that you trust), with agent forwarding enabled, and > use it to third-party copy between B and A (*without* enabling agent > forwarding from C to B or C to A) > > >-- Prometheus Labor Communications, Inc. http://prometheuslabor.com 413-572-1300 UnionConnect Phone App for Labor Unions http://unionconnect.com