Hacker News new | ask | show | jobs
by upon_drumhead 1002 days ago
Or even better, use ProxyJump and don’t forward your agent at all :)
1 comments
aarmenaa 1002 days ago
I'm moving towards this for my current workplace. SSH will only be allowed via VPN, only to a bastion, and that bastion will not permit agent forwarding, or really much of anything other than ProxyJump. I'm baffled that agent forwarding is a feature when OpenSSH won't even use a key file if the permissions are wrong.
link
lxgr 1002 days ago
Agent forwarding has its uses; not all of them can be replaced by ProxyJump.
link
GauntletWizard 1002 days ago
I never need to SSH directly into servers. When I do, I need to be able to clone private git repos. ssh agent forwarding is the right answer.
link
sureglymop 1002 days ago
To go further, use a VPN that uses UDP and only allow that connection after port knocking three randomly chosen ports.
link
ThePowerOfFuet 1002 days ago
This is way overkill when you could simply use Wireguard instead.
link
sureglymop 1001 days ago
Not really, its just a few lines in your nftables/iptables rules. And sure, wireguard is great. It's just an underrated trick from decades ago. :)
link