anazmy
commented
7 years ago Hey akmalhisyam , can you give me an example scenario you have in mind please ?
Closed akmalhisyam closed 7 years ago
anazmy
commented
7 years ago Hey akmalhisyam , can you give me an example scenario you have in mind please ?
akmalhisyam
commented
7 years ago Hi @anazmy
My scenario:
I forward my local SSH agent to bastion host, and bastion host should use that forwarded agent to get the credentials to login to the next host.
I'm unable to do that with Aker. It just fails with "invalid credentials" or something i forgot
Oneiroi
commented
7 years ago Agent forwarding is widely known to be insecure, I encourage you to stop using Agent forwarding and read this article https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/ imho Aker should not support AgentForwarding
anazmy
commented
7 years ago hey @akmalhisyam I have to agree with Oneiroi, having a socket sitting listening and answering to crypto challenges is not a good practice , specially taking on consideration something like a zero-trust network .
That being said Aker will still consider approaches for automation and ease of use but in a more secure fashion.
ask0n
commented
6 years ago @Oneiroi provided link mentions option ssh-add -c which is used for confirmation requests from ssh-agent.
I don't think that storing private users keys at internet-faced bastion is more secure than ssh-agent.
Anyway it would be good to have such configuration option in addition to the key: option.
ask0n
commented
6 years ago @anazmy any chances to reopen this issue?
Hi. I'm using Aker master branch. Is it possible to enable agent forwarding?