Re: Is there any solution, or even work on, limiting which keys gets forwarded where?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue 2015-10-20 03:08:11 -0400, hubert depesz lubaczewski wrote:
> If I run tmux locally, and my network connection dies, then I lose what
> I was doing on remote host.
> Tmux is there to protect me from losing work (let's say, in the middle
> of datbase upgrade) due to network issues).

if you want that kind of protection, run tmux (or GNU screen) on the
remote host itself.  that will protect you from outages on the jumphost
as well.

> I'm concerned about safety (someone having access to my agent socket,
> shouldn't really have access to all my keys), and convenience (not
> having to retype the password every time).

a local ssh agent, not forwarded, with a controlMaster socket for the
jumphost, and your keys loaded with confirmation prompt seems like the
solution that would solve the most problems:

~/.ssh/config:
--------------
Host jumphost.example
 ControlMaster autoask
 ControlPath ~/.ssh/masters/%r@%h:%p
 ProxyCommand none

Host *.example
 ProxyCommand ssh -W %h:%p jumphost.example
--------------

Before connecting, ensure that ssh-agent is running and do:

 ssh-add -c /path/to/my/key

You'll have to type your password exactly once.

When you get a prompt for the use of your key, or a prompt to use the
control master, you can just hit "OK" or type "yes".

if your workflow is just to connect to one remote machine from your
local computer, do:

 ssh -t foo.example tmux

If your workflow is to connect to multiple machines, start with:

 ssh jumphost.example

and leave that session open while you do the rest of your work from your
local computer.:

 ssh -t foo.example tmux
 ssh -t bar.example tmux
 

hth,

        --dkg
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux