openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Saku Ytti <saku_at_nospam>
Date: Thu Oct 27 2011 - 05:58:07 GMT
To: "openssh-unix-dev@mindrot.org" <openssh-unix-dev@mindrot.org>

On 26 October 2011 23:52, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> I suppose i'm arguing right now that the only legitimate usage scenario
> for ForwardAgent is when the user doesn't understand how to use
> ProxyCommand for a jumphost.
>
> I'd rather streamline the jumphost case than add extra cruft that might
> encourage users to forward their agent.

I sometimes need to jump from several intermediate routers and it seems to
me there is somewhat large overhead (as of today) on using it.
I might be in domain2-server1 and need to jump back and forth on several
domain2 servers, and sometimes not even directly from server1 to serverN
but server7 might only be reachable from server3 or so.

I suppose ProxyCommand is easier to fix, as it requires no protocol
changes, and I'm certainly biased as I've used agent lot, but not
ProxyCommand. Just hard to imagine how to make it as unobtrusive
as ssh-agent, only thing ssh-agent really is missing (and only thing makes
it insecure) is not having any idea who is requesting the signing.

--   ++ytti _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev