Ok, thanks for the insight. Yeah, I was trying to avoid agent forwarding because of the advice I've seen to avoid it, if possible. I'm trying to figure out what the best practice might be so I wanted to see how this could be done in the most secure manner possible. Only other method I can think of is to have a third machine, machine C, that is only available on the private network and contains the private key for all the other machines. So I'd log into machine C via some bastion/jump server. Machine C would hold the private the key used by machine B and machine A and I could use it to transfer files between machines A and B. On Wed, Dec 9, 2020 at 1:14 PM Brian Candler <b.candler@xxxxxxxxx> wrote: > On 09/12/2020 17:48, Steve Dondley wrote: > > Though the command works and transfers files between machines, I'm not > sure > > if it does it strictly over the private network. How can I be sure the > file > > isn't going from B to A over the private network and then down to my > local > > machine over the public network and then back up to A over the public > > network and then back to A on the private network? > > It *is* going up to your local client and back again: -3 (third party > copy) does exactly that. It makes separate ssh connections to the two > hosts (which is why the ProxyCommand is required in your case), slurps > the file from the left-hand host and uploads it to the right-hand host. > > If you don't want to do that, then omit the -3. Then it will login to > left-host, and instruct it to copy the given file to right-host. > However you may need to use agent forwarding so that left-host can > authenticate to right-host. > > -- Prometheus Labor Communications, Inc. http://prometheuslabor.com 413-572-1300 UnionConnect Phone App for Labor Unions http://unionconnect.com _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
