openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: ssh-agent use in different security domain

Re: ssh-agent use in different security domains

From: Alan Barrett <apb_at_nospam>
Date: Thu Oct 27 2011 - 07:36:13 GMT
To: openssh-unix-dev@mindrot.org

On Thu, 27 Oct 2011, Alex Bligh wrote:
>I'm also not sure you can use ProxyCommand to use more than one
>intermediate host in a row.

You can. Just put this in your .ssh/config, and then run "ssh host3".
It works fine for scp too.

     Host host3
        ProxyCommand ssh -W %h:%p host2
        User user3
     Host host2
        ProxyCommand ssh -W %h:%p host1
        User user2
     Host host1
        User user1

>What I'd like to see is (and I think this is just command line
>processing, plus possibly detection of -W support on the intermediate
>host):
>
> ssh --via intermediateA1.example.com
> --via intermediateA2.example.com
> remoteA.example.com
>
> scp -3 --via intermediateA1.example.com
> --via intermediateA2.example.com
> remoteA.example.com:file
> --via intermediateB1.example.com
> remoteB.example.com:file

There's no need for -W support on intermediate hosts;
the intermediate host sees a channel request that's
(almost?) indistinguishable from what would happen with "-L".

I agree that "--via" would be a convenient command line shorthand
for cases where you don't want to edit .ssh/config. (Passing -O
ProxyCommand on a command line typed by hand is cumbersome for one
hop, and infeasible for more than one hop.)

--apb (Alan Barrett)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev