undefined | Better HN

0 pointsvindex102y ago0 comments

thanks for the suggestion. I haven't used agent forwarding myself. I read a bit in the manual, and this seems to have a problem if the users I'm sharing the machine with have `sudo`:

> Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. A safer alternative may be to use a jump host (see -J).

> Run ssh-add in your terminal session before doing your push/pull dance

originally my comment was about gpg encrypted files. also I suspect any kind of agent would expose privileges of my key to others if they have sudo.

0 comments

atoav2y ago

Exactly. This should be used with care on remote hosts that are untrusted.

But for local development it is still superior to not having a password at all.

vindex10OP2y ago

for local development, I use keychain [1] on top of the ssh-agent.

this allows to keep ssh-agent On for a limited time, so it will ask for password again in, for example, 10 minutes.

[1] https://www.funtoo.org/Funtoo:Keychain

j / k navigate · click thread line to collapse