openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Saku Ytti <saku_at_nospam>
Date: Wed Oct 26 2011 - 19:15:41 GMT
To: "openssh-unix-dev@mindrot.org" <openssh-unix-dev@mindrot.org>

On 26 October 2011 22:10, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> no, if you do not forward your agent (that is, if you do not enable
> ForwardAgent), the machine you connect to cannot access the keys in your
> agent, regardless of the number of intermediate hops.

Let's not discuss this, let's just assume situation where you do need to jump
between multiple hosts in two different security domains.
If there is usage scenario for ForwardAgent, there is usage scenario for
ForwardAgent in multiple security domains.

> By default ForwardAgent should be set to "no" in ssh_config.  If you run
> a distribution that has ForwardAgent set to "yes" by default, please
> inform them that it should *always* default to "no".  This would be a
> serious bug.

No, I've not ran into one. And this thread is exactly because I need to
now add agent towards another domain, to which I don't want to expose
my domain1 keys.

--   ++ytti _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev