Add ssh -A flag to `flintrock login cluster` so forward agent

[DBCerigo]

Can we forward ssh option to the login command?

I wanted to forward my agent profile for easy git repo access on the master node, hence the thought.

If you think it's a good idea I could look into making a pr for it :)

(flintrock proving awesome so far!)

[nchammas]

Hi @DBCerigo! So to elaborate, is the idea as follows?

Users run flintrock login cluster as before, but now under the sheets Flintrock forwards the agent so that something like git clone git@github.com:... works from the Flintrock master just as it would from the client running Flintrock. For example, you'd be able to clone private repos from the cluster just as you would from your workstation.

Is that correct? Are there any security or compatibility concerns with doing something like this?

Seems like a nice convenience to add. Just want to understand a bit more about it.

[DBCerigo]

Hi ^^

Yep that's exactly the idea (and the use case I had in mind for it).

Regarding security concerns the man page says:

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

So I guess not making it default, but being able to pass the -A flag into the flintrock login command directly should be ok? I.e. then you could assume people using it would have responsibility for using it.

Might be a small but sometime handy addition in the end.

[nchammas]

Sounds good to me. More in fitting with Flintrock's style would be to have a more descriptive option like flintrock login --forward-agent/--no-forward-agent, which people can also set via flintrock configure.

If you want to submit a PR for that, go for it. 👍