

Using ssh-agent with ssh (2002) - tonteldoos
http://mah.everybody.org/docs/ssh

======
jlgaddis
I'm inclined to recommend against using `ssh-agent`. I suggest using
ProxyCommand instead and I, myself, use that probably 50 times a day every
day.

I have dozens of servers running Linux and FreeBSD that, naturally, have
`sshd` enabled for remote access. Even though (almost) all of my servers have
public IP addresses, there are only three of them accessible via SSH from "the
world" \-- two OpenBSD hosts and one RHEL host.

The two OpenBSD machines are "jumpboxes": their only purpose is to serve as a
gateway into the network and to all of the other servers. Instead of SSH'ing
into one of them and then SSH'ing out to the actual machine I want to log
into, I make heavy use of "ProxyCommand" in my $HOME/.ssh/config so that I can
just run, e.g. "ssh mx-out". An SSH connection to one of the jumpboxes is
established and, through that, a connection to the actual server is then made.
Since I use keys for authentication, I don't have to enter my password or
passphrase twice (or even once) and the "magic" is completely transparent to
the user once it's initially set up.

The RHEL host (which I've hardened as much as possible) is for web hosting
customers to connect to in order to upload/download files into their web
space. It is not a web server, itself, but it is an NFS client so that
customers don't need to log into the actual web servers themselves.

------
bbrazil
This is a good setup, I had similar years ago to deal with screen.

One general word of warning with ssh-agent: Only use -A to forward it to
another host that you completely trust, as anyone with root on that machine
will be able to use your private keys.

~~~
keeperofdakeys
Personally I configure ssh-agent to have my key decrypted in memory, but to
bring up a simple yes/no confirmation dialogue whenever an ssh connection
requests the key. While it doesn't prevent the problem, it certainly increases
the sophistication required - I'm not likely to click on such a box when I
haven't done something that would need it.

------
newman314
Use ProxyCommand instead

~~~
keeperofdakeys
For those who were interested in details -
[https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_J...](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_through_a_gateway_using_netcat_mode)

SSH on the gateway host turns into a relay to forward your SSH traffic to the
other host.

