pyratelog

personal blog
git clone git://git.pyratebeard.net/pyratelog.git
Log | Files | Refs | README

20220106-keeper_of_the_ssh_keys.md (2192B)

      1 Earlier today I saw [this article](https://lwn.net/SubscriberLink/880458/5c4147ec8a7ca8df/) on LWN.net (via lobste.rs) about a new feature in OpenSSH 8.9, [SSH agent restriction](https://www.openssh.com/agent-restrict.html), that will allow you to restrict the hosts your keys can be used on with `ssh-agent`
      2 
      3 As a daily user of SSH (Secure SHell) I am a big fan of using SSH keys over passwords.  Keys are more secure than passwords and by using `ssh-agent` you can enter your passphrase once, leaving you free to `ssh` all over the place without constantly typing your passwords.
      4 
      5 This new restriction feature looks to quite useful if you're using agent forwarding through a bastion host.  You will be able to specify which hosts the keys will authenticate with and even through which hops.  The links above have some great examples and much more information into how it works.
      6 
      7 A number of people in the comments of that article pointed out that you can use the SSH config option `ProxyJump` or `-J` on the commandline.  With agent-forwarding through a bastion a user would normally `ssh` to the bastion and then `ssh` again to the desired host.  This creates two encrypted connections.  Using `ProxyJump`, however, works by getting the bastion to forward the first encrypted connection without breaking it.  From your terminal you can incant
      8 ```
      9 ssh -J user@bastion user@host
     10 ```
     11 This will open a connection with "host" in one go.  Especially useful if you don't trust the bastion.
     12 
     13 I use `ProxyJump` quite a lot.  Hopping through a bastion is common practice when you have isolated networks. I also use it with my LXC containers, by jumping through the host server into the container.  To achieve that my `~/.ssh/config` looks something like this
     14 ```
     15 Host mainframe
     16   HostName 67.13.5.100
     17   Port 2222
     18 
     19 Host lxc1
     20   HostName 10.0.3.24
     21   ProxyJump mainframe
     22 
     23 Host lxc2
     24   HostName 10.0.3.50
     25   ProxyJump mainframe
     26 ```
     27 
     28 With this config I can `ssh` straight to my containers with one encrypted connection through the host.
     29 ```
     30 ssh lxc1
     31 ```
     32 
     33 I will still be interested in the agent restriction feature when it comes in, and if you know of any other useful SSH tricks I would love to hear them.