Steve Dondley
2020-Dec-09 19:49 UTC
Transferring files between servers on a private network?
Very interesting food for thought. So let me make sure I understand what I need to do here as I try to reverse 2 decades of cluelessness (I literally never heard of agent forwarding until last night): So I'll add the pem file with ssh-add on my local machine and then I'll be able to log into C and then once in C I can run the scp command to move files between B and A via the private network. Have I got that right? On Wed, Dec 9, 2020 at 2:39 PM Brian Candler <b.candler at pobox.com> wrote:> On 09/12/2020 18:45, Steve Dondley wrote: > > Ok, thanks for the insight. > > > > Yeah, I was trying to avoid agent forwarding because of the advice > > I've seen to avoid it, if possible. > > As far as I know, you'd mainly want to avoid it if you don't trust the > left-hand machine (i.e. the source, the one you called "B"). A > malicious administrator on that host could connect to your agent socket > and authenticate, as you, to any other machine that trusts your key. > > But to be honest, if a machine is malicious, I wouldn't want to ssh into > it in the first place. It could do plenty of other nasty things, such > as logging my keystrokes. > > > > > Only other method I can think of is to have a third machine, machine > > C, that is only available on the private network and contains the > > private key for all the other machines. So I'd log into machine C via > > some bastion/jump server. Machine C would hold the private the > > key used by machine B and machine A and I could use it to transfer > > files between machines A and B. > > Copying your private key onto other machines is, in general, way less > secure than using agent forwarding. > > You could ssh to C (that you trust), with agent forwarding enabled, and > use it to third-party copy between B and A (*without* enabling agent > forwarding from C to B or C to A) > > >-- Prometheus Labor Communications, Inc. http://prometheuslabor.com 413-572-1300 UnionConnect Phone App for Labor Unions http://unionconnect.com
Brian Candler
2020-Dec-09 20:04 UTC
Transferring files between servers on a private network?
On 09/12/2020 19:49, Steve Dondley wrote:> Very interesting food for thought. So let me make sure I understand > what I need to do here as I try to reverse 2 decades of cluelessness > (I literally never heard of agent forwarding until last night): > > So I'll add the pem file with ssh-add on my local machine and then > I'll be able to log into C and then once in C I can run the scp > command to move files between B and A via the private network. Have I > got that right?Yep, as long as you've enabled agent forwarding (-A)? when you login to C. With agent forwarding, an agent socket appears on host C.? Any command you type there (such as "ssh B" or "scp B:foo A:bar") is able to talk to the agent socket, as if ssh-agent were running on host C. But in reality, the agent messages are passed back and forth over the ssh connection between your local host and C, to the ssh-agent running on your local host.? Hence your private key never leaves your local host.