[nycbug-talk] ssh-agent and keychain
Lonnie Olson
lists at kittypee.com
Fri Feb 8 11:20:38 EST 2008
Steven Kreuzer wrote:
> Last night, during Ike's talk about ssh-agent, a helper script that
> wraps around it called keychain was brought up.
> ( http://www.gentoo.org/proj/en/keychain/index.xml )
>
-- snip --
> Since its a pain to have to keep bouncing through one box to get to
> another, I setup GNU screen on the proxy server. I login in the morning,
> start screen, and every time I need to connect to a new host I simply
> hit ctrl-a, a to create a new terminal and do what I need to do.
>
> I would load all my keys into memory using ssh-agent so I could log into
> boxes sans password, but ssh-agent has a few limitations based on my
> setup.
Is there a reason you don't just use Agent forwarding? Just keep your
key(s) on your local desktop, run ssh-agent there, and using Agent
forwarding to keep key access while bouncing through the proxy server.
Seems simpler to me, and keeps your keys closer to yourself, reducing
risk of compromise.
On a side note, you can also use ProxyCommand in your ~/.ssh/config file
to define aliases that automatically bounce through the proxy without
actual interaction with the proxy.
http://tauware.de/blog:ssh-proxy-command
--lonnie
More information about the talk
mailing list