Hacker News new | ask | show | jobs
by RL_Quine 2626 days ago
`ProxyJump`
2 comments
aidos 2626 days ago
Hadn’t seem that before. Article here explains is briefly https://www.madboa.com/blog/2017/11/02/ssh-proxyjump/
link
theamk 2626 days ago
This article is .. weird. It mentions SOCKS5, DynamicForwarding and "decent version of nc", while you don't need anything at all for forwarding connection -- SOCKS is not involved in any way, and initial 1995 release of nc would work just fine.

Here is a much better explanation (from [0]):

> ProxyJump was added in OpenSSH 7.3 but is nothing more than a shorthand for using ProxyCommand, as in: "ProxyCommand ssh proxy-host -W %h:%p"

so the same thing that top poster was talking about.

[0] https://superuser.com/questions/1253960/replace-proxyjump-in...

link
metafunctor 2626 days ago
Do you keep your keys on the proxy host, then? Otherwise, "ForwardAgent yes" and you're back to the same situation.
link
syntonym 2626 days ago
ProxyJump uses the keys from the original host, not the proxy host.
link
metafunctor 2626 days ago
I know. That's why I asked. Chained agent forwarding will serve your keys just the same, so ProxyJump is not "a secure alternative that achieves the same outcome".
link
syntonym 2626 days ago
Are you disagreeing with the "secure alternative" or the "same outcome"? I thought the difference between ProxyJump and agent forwarding is the following:

Agent forwarding forwards the agent socket to the proxy server. Thus any ssh connection originating from the proxy server can reuse the agent, and with that has the same access to the agent as the originating host.

ProxyJump routes the ssh connection through the proxy host. The crypto takes place between originating host and target host, not between proxy host and target host. ssh connections originating from the proxy host can not access keys from the originating host.

But maybe my understanding of ProxyJump is incorrect?

link
metafunctor 2626 days ago
I know exactly how agent forwarding and ProxyJump work, but I'm having a hard time understanding what you mean.

ProxyJump proxies your ssh connection, so connecting from A to B via proxy X the connections go A->X and X->B.

You can use AgentForwarding with ProxyJump, in which case agent connections go B->X->A.

I cannot see how ProxyJump would somehow be an alternative to AgentForwarding. You can use both independently.

link
Xylakant 2626 days ago
> ProxyJump proxies your ssh connection, so connecting from A to B via proxy X the connections go A->X and X->B.

No, it rather works like this:

A -> B via X establishes A->X and then, through that connection tunnels a new ssh-connection from A->B.

A->X, then X->B would require forwarding the Agent from A to X, so that the connection from X->B can authenticate using that agent. Proxying the connection does not require X to ever authenticate to B, the authentication happens straight from A->B (1). Thus, no agent (forwarding) needed. You can also chain ProxyJumps: A->X->Y->B tunnels A->B in A->Y which is then tunneled through A->X. In that regard, ProxyJump and ProxyCommand can replace AgentForwarding in most use cases. There are some uses where AgentForwarding is the only solution, though.

(1) Added benefit: X never sees the actual traffic in unencrypted form and all port forwards A<->B work

link