personal blog
git clone git://
Log | Files | Refs | README

commit 8866f0e613cfb4c341edf745edecf4eb1f2a0ccf
parent b1dc49638adaa81046335db9a70043c9c4ee9a42
Author: pyratebeard <>
Date:   Thu,  6 Jan 2022 22:06:51 +0000


Aentry/keeper_of_the_ssh_keys.draft | 33+++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+), 0 deletions(-)

diff --git a/entry/keeper_of_the_ssh_keys.draft b/entry/keeper_of_the_ssh_keys.draft @@ -0,0 +1,33 @@ +Earlier today I saw [this article]( on (via about a new feature in OpenSSH 8.9, [SSH agent restriction](, that will allow you to restrict the hosts your keys can be used on with `ssh-agent` + +As a daily user of SSH (Secure SHell) I am a big fan of using SSH keys over passwords. Keys are more secure than passwords and by using `ssh-agent` you can enter your passphrase once, leaving you free to `ssh` all over the place without constantly typing your passwords. + +This new restriction feature looks to quite useful if you're using agent forwarding through a bastion host. You will be able to specify which hosts the keys will authenticate with and even through which hops. The links above have some great examples and much more information into how it works. + +A number of people in the comments of that article pointed out that you can use the SSH config option `ProxyJump` or `-J` on the commandline. With agent-forwarding through a bastion a user would normally `ssh` to the bastion and then `ssh` again to the desired host. This creates two encrypted connections. Using `ProxyJump`, however, works by getting the bastion to forward the first encrypted connection without breaking it. From your terminal you can incant +``` +ssh -J user@bastion user@host +``` +This will open a connection with "host" in one go. Especially useful if you don't trust the bastion. + +I use `ProxyJump` quite a lot. Hopping through a bastion is common practice when you have isolated networks. I also use it with my LXC containers, by jumping through the host server into the container. To achieve that my `~/.ssh/config` looks something like this +``` +Host mainframe + HostName + Port 2222 + +Host lxc1 + HostName + ProxyJump mainframe + +Host lxc2 + HostName + ProxyJump mainframe +``` + +With this config I can `ssh` straight to my containers with one encrypted connection through the host. +``` +ssh lxc1 +``` + +I will still be interested in the agent restriction feature when it comes in, and if you know of any other useful SSH tricks I would love to hear them.