

A sysadmin talks OpenSSH tips and tricks - cmsj
http://www.tenshu.net/2012/02/sysadmin-talks-openssh-tips-and-tricks.html

======
zobzu
Author does not understand SSH Agent forwarding.

Author gives directions such as "don't use X!!" without explaining why, or
what. That is terrible. Please inform people, instead of making empty
statements.

SSH Agent forwarding let the remote host query your local agent. The agent
responds to challenges. The private key is NEVER transmitted.

So no, its absolutely NOT equivalent to storing your private key on the remote
server - did you think OpenSSH were that dumb?

The risk with SSH agent forwarding, is that _as long as your session is
running with agent forwarding on_ the remote host can query challenges and use
them to authenticate anywhere you're allowed to authenticated to, granted that
your ssh-agent keys are currently unlocked.

So indeed, using SSH agent forwarding every where is bad practice. But it
doesn't mean you can't use it. You just need to know it's limitations.

When not used, you can use ssh -oProxyCommand='ssh -W jumphost targethost 22'
targethost and/or put it in the ssh config, which is actually more convenient
in most common cases.

It's also tiring to see so called ssh tricks every next day, asif everyone
didnt see yesterday's one. And with incorrect statements, its worse.

~~~
cmsj
I always go in hard on agent forwarding because I don't think most people
understand the limitations. If you look at my wording I said:

"as if they had your private keys, because functionally speaking, they do"

The remote hosts may not have the actual private key data, but they can
operate as if they do. I will expand that section a little, but not at the
expense of warning people off the feature.

Thanks for the reminder about -W though, I meant to add that to the jump host
section with a note that it's only available since OpenSSH 5.4.

I apologise for tiring you, best of luck with your recovery :)

