Igor, My ssh-agent works well and I haven't any problem with it : I'm using keychain (persistent ssh-agent across connections; from debian packages), filling the .ssh/environment file to get env setted correctly for that. Anyway, the trick doesn't work correctly since the terminal mode is raw : I can succeed in logging the way I want but can't do any vi or any tab command completion... Concerning the security level you've evaluated, I do agree with the fact that one's could read bastion's memory to get access to targets' keys. But : 1 - I made those targets keys usable only from the bastion. If the keys where on the local box, this kind of filtering couldn't be done as far as my users should be able to connect from everywhere - modulus ip spoofing of course. 2 - With all my targets keys on the bastion, I can administrate them in a central way - which can't be done in the distributed-to-the-local-boxes way. In particular, it's far more easy to give a temporary access to anyone to any target in the bastion's holding way. 3 - Saying the keys can be read from the bastion's memory isn't worse than distributing them across local boxes which are secureless than the bastion - since they are some local boxes shared by multiple people... Furthermore, the keys can regularly be changed to clean those kind of weakness. Thanks for sharing, NF -------- Message original -------- Sujet: Re: Multi Hopping by sshserver proxy with different keys De : Igor Bukanov <igor@xxxxxxxx> Pour : Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx> Copie à : secureshell@xxxxxxxxxxxxxxxxx Date : 25/09/2010 12:34 > On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx> wrote: >> Putty conf : >> connection type : raw >> local proxy command : plink.exe -t %user@%proxyhost -agent "ssh >> -p %port -l role %host"\n > > I assume "ssh -p %port -l role %host" here is a command executed on > the bastion to connect to the target. Currently it does not work as > the target asks for the key known only for the bastion. > > You mentioned that "ssh-agent running well with the target.". If that > means that bastion has ssh-agent running with a key for the target > then in the above command you just need to tell the ssh where to look > for ssh agent socket. You can do that with env command that sets > SSH_AUTH_SOCK like in: > > plink.exe -t %user@%proxyhost -agent "env > SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host" > > The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For > maximum convenience you may run the ssh-agent on bastion with -d > option to specify the exact location of the socket like in: > > ssh-agent -b "$HOME/.ssh/agent-socket" > > and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket > > > On the other hand the setup like that implies that one can always > connect to the target if he has the key to bastion. Moreover, anybody > who can login to bastion under your user name can also recover the > private key for the target via inspecting ssh-agent memory. So the > setup above is less secure if you would simply have the key to the > target on your local box properly password-protected and loaded into > putty agent. > > Regards, Igor > Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.