On 09/12/2020 18:45, Steve Dondley wrote:
Ok, thanks for the insight.
Yeah, I was trying to avoid agent forwarding because of the advice
I've seen to avoid it, if possible.
As far as I know, you'd mainly want to avoid it if you don't trust the
left-hand machine (i.e. the source, the one you called "B"). A
malicious administrator on that host could connect to your agent socket
and authenticate, as you, to any other machine that trusts your key.
But to be honest, if a machine is malicious, I wouldn't want to ssh into
it in the first place. It could do plenty of other nasty things, such
as logging my keystrokes.
Only other method I can think of is to have a third machine, machine
C, that is only available on the private network and contains the
private key for all the other machines. So I'd log into machine C via
some bastion/jump server. Machine C would hold the private the
key used by machine B and machine A and I could use it to transfer
files between machines A and B.
Copying your private key onto other machines is, in general, way less
secure than using agent forwarding.
You could ssh to C (that you trust), with agent forwarding enabled, and
use it to third-party copy between B and A (*without* enabling agent
forwarding from C to B or C to A)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev