unsolicited ProxyJump elaboration 

@electroCutie @kit_ty_kate Exactly! Never forward your private! Keys! Using a jumphost instead has many benefits, not only better security.

`ssh -J jumphostNicknameOnDemand targetHost`
for on demand jumphost use on the commandline


Host targetHost
hostname target.example.org
ProxyJump jumphostNicknameToUseAlways
in `~/.ssh/config`

Benefits include
- easy to use on demand
- works with RFC1918 IPs and internal hostnames behind the jumphost

@MacLemon @kit_ty_kate @electroCutie

Key forwarding just forwards the public key and is needed in your example too, isn't it?

SSH details 

@utzer @MacLemon @kit_ty_kate No, it is not

If I'm reading the intent correctly the option under discussion is ForwardAgent
This exposes the agent on the remote box, and is vulnerable to attack. There are valid uses for it, of course, but you need to really trust that box

With proxy jump the agent remains only exposed on your local box and the remote box is used as an ssh proxy with no privilege whatsoever in the proxied connection or authentication


SSH details 

@electroCutie @utzer @kit_ty_kate I consider that a totally correct explanation of the underlying security problem with agent forwarding.

Sign in to participate in the conversation

chaos.social – a Fediverse instance for & by the Chaos community