On Wed, 25 Jun 2003, A.J. Werkman wrote: > I have a SSH proxy problem. > > If I have three machines A, B and C. A can't reach C, but B can both reach > A and C. > > In order to connect form A to C you would connect from A to B with ssh and > on B connect to C. Now you have a proxy connection from A through B to C. > > But I use only key authentication. B and C are configured to accept the key > from A. But B as not being accepted as a total secure host (because it is > the gateway to the evale world), does not have authentication keys. > Conquering this gateway would mean every host can be reached by using the > authentication key on the gateway. > > Now if I want to connect from A to C I log in using the private key on host > A. But if I want to log in from host B to C I don't have a private key > there to use. > > Does anyone know if it is possible to use the above scenario but be able to > use my private key from host A on host B to access host C. Of course I > don't want to copy the private key from host A to host B because of the > risk of compromising this key. > > I hope what I am saying here makes sense to all. Does anyone know a solution? If B is compromised (with root access) - then all connections from B will be compromised (i.e ssh connection from B -> C whatever auth is used passwd/passphrase/keyauth) You can use ssh-agent and AgentForwarding - and not store the keys on B. The process would be something like: 1. on A: generate a ssh key pair - this should generate ~/.ssh/id_rsa,id_rsa.pub 2. copy the contents of A:~/.ssh/id_rsa.pub to B:~/.ssh/authorized_keys and C:~/.ssh/authorized_keys 3. Always use ssh-agent and AgentForwarding A> ssh-agent bash #start the agent A> ssh-add #add ~/.ssh/id_rsa to the agent with passphrase if used A> ssh -A user@x # now log into B using the keycredentials stored in A:agent B> ssh user@x # now log into C using the keycredentials stored in A:agent Note: As long as the connection from A->B exists - the Agent stuff will be accessiable on B at /tmp/ssh-**** dir - and whoever has access to this will have access to the agent credentials (i.e be able to log into user@x) For me, ssh-agent, ssh-add are done at the very top level - when starting up the windowmanager - so this is accessiable from ALL my shells. and 'AgentForwarding yes' can be specified either in /etc/ssh_config or ~/.ssh/config [asterix]: cat /etc/X11/gdm/Sessions/Fluxbox #!/bin/bash #Location: /etc/X11/gdm/Sessions/Fluxbox xrdb -merge /etc/X11/Xresources export LANG=en_US export LC=C export LC_ALL=C exec ssh-agent /bin/bash --login -c 'ssh-add </dev/null; exec fluxbox' [asterix]: Satish
