Re: Multi Hopping by sshserver proxy with different keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx> wrote:
> Â ÂPutty conf :
> Â Â Â connection type : raw
> Â Â Â local proxy command : plink.exe -t %user@%proxyhost -agent "ssh
> -p %port -l role %host"\n

I assume "ssh -p %port -l role %host" here is a command executed on
the bastion to connect to the target. Currently it does not work as
the target asks for the key known only for the bastion.

You mentioned that "ssh-agent running well with the target.". If that
means that bastion has ssh-agent running with a key for the target
then in the above command you just need to tell the ssh where to look
for ssh agent socket. You can do that with env command that sets
SSH_AUTH_SOCK like in:

plink.exe -t %user@%proxyhost -agent "env
SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host"

The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For
maximum convenience you may run the ssh-agent on bastion with -d
option to specify the exact location of the socket like in:

ssh-agent -b "$HOME/.ssh/agent-socket"

and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket


On the other hand the setup like that implies that one can always
connect to the target if he has the key to bastion. Moreover, anybody
who can login to bastion under your user name can also recover the
private key for the target via inspecting ssh-agent memory. So the
setup above is less secure if you would simply have the key to the
target on your local box properly password-protected and loaded into
putty agent.

Regards, Igor



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux