unsolicited ProxyJump elaboration 

@electroCutie @kit_ty_kate Exactly! Never forward your private! Keys! Using a jumphost instead has many benefits, not only better security.

`ssh -J jumphostNicknameOnDemand targetHost`
for on demand jumphost use on the commandline


Host targetHost
ProxyJump jumphostNicknameToUseAlways
in `~/.ssh/config`

Benefits include
- easy to use on demand
- works with RFC1918 IPs and internal hostnames behind the jumphost

@MacLemon @kit_ty_kate @electroCutie

Key forwarding just forwards the public key and is needed in your example too, isn't it?

SSH details 

@utzer @MacLemon @kit_ty_kate No, it is not

If I'm reading the intent correctly the option under discussion is ForwardAgent
This exposes the agent on the remote box, and is vulnerable to attack. There are valid uses for it, of course, but you need to really trust that box

With proxy jump the agent remains only exposed on your local box and the remote box is used as an ssh proxy with no privilege whatsoever in the proxied connection or authentication

SSH details 

@electroCutie @utzer @kit_ty_kate I consider that a totally correct explanation of the underlying security problem with agent forwarding.

@utzer ProxyJump doesn‘t *forward* keys at all. It‘s basically an SSH tunnel used by SSH without having to configure ports manually and dealing with localhost connections.
It only requires

AllowTcpForwarding yes

in `sshd_config` on the JumpHost.

(If you need remote port forwarding (very rarely) you also need

GatewayPorts yes
in `sshd_config` on the JumpHost.

@kit_ty_kate @electroCutie

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community