unsolicited ProxyJump elaboration 

@electroCutie @kit_ty_kate Exactly! Never forward your private! Keys! Using a jumphost instead has many benefits, not only better security.

`ssh -J jumphostNicknameOnDemand targetHost`
for on demand jumphost use on the commandline

Or:

```
Host targetHost
hostname target.example.org
ProxyJump jumphostNicknameToUseAlways
```
in `~/.ssh/config`

Benefits include
- easy to use on demand
- works with RFC1918 IPs and internal hostnames behind the jumphost

@MacLemon @kit_ty_kate @electroCutie

Key forwarding just forwards the public key and is needed in your example too, isn't it?

SSH details 

@utzer @MacLemon @kit_ty_kate No, it is not

If I'm reading the intent correctly the option under discussion is ForwardAgent
This exposes the agent on the remote box, and is vulnerable to attack. There are valid uses for it, of course, but you need to really trust that box

With proxy jump the agent remains only exposed on your local box and the remote box is used as an ssh proxy with no privilege whatsoever in the proxied connection or authentication

SSH details 

@electroCutie @utzer @kit_ty_kate I consider that a totally correct explanation of the underlying security problem with agent forwarding.

@utzer ProxyJump doesn‘t *forward* keys at all. It‘s basically an SSH tunnel used by SSH without having to configure ports manually and dealing with localhost connections.
It only requires

```
AllowTcpForwarding yes
```

in `sshd_config` on the JumpHost.

(If you need remote port forwarding (very rarely) you also need

```
GatewayPorts yes
```
in `sshd_config` on the JumpHost.

@kit_ty_kate @electroCutie

Sign in to participate in the conversation
Lesbiab Space

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!