Forwarding both gpg and ssh agents

Peter Lebbing peter at digitalbrains.com
Tue Jul 17 11:00:04 CEST 2018


On 16/07/18 23:35, Chris Coutinho wrote:
> Although some sources note the potential security holes of
> using this method, it works great for my use case

Well, yes, even the man page warns about the security implications. 
There's a reason I said "it's quite a while back" :-). I try to avoid 
it. The security implications are severe.

If it's just about passing a firewall, the ProxyJump / -J options of 
OpenSSH are much more useful. You can even chain them easily to pass 
ever more firewalls :-).

ssh -J outerbastion.example.org -J nextlayer.example.org destination.example.org

> https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/

The ProxyCommand mentioned there has been made more convenient with the 
ProxyJump option that was added later; especially if we're talking about 
multiple jump hosts.

Agent forwarding is really about connecting two remote hosts together, 
which Proxy can't do.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180717/5e93d4b2/attachment.sig>


More information about the Gnupg-users mailing list