Hacker News new | ask | show | jobs
by aarmenaa 1000 days ago
I'm moving towards this for my current workplace. SSH will only be allowed via VPN, only to a bastion, and that bastion will not permit agent forwarding, or really much of anything other than ProxyJump. I'm baffled that agent forwarding is a feature when OpenSSH won't even use a key file if the permissions are wrong.
2 comments
lxgr 1000 days ago
Agent forwarding has its uses; not all of them can be replaced by ProxyJump.
link
GauntletWizard 1000 days ago
I never need to SSH directly into servers. When I do, I need to be able to clone private git repos. ssh agent forwarding is the right answer.
link
sureglymop 1000 days ago
To go further, use a VPN that uses UDP and only allow that connection after port knocking three randomly chosen ports.
link
ThePowerOfFuet 1000 days ago
This is way overkill when you could simply use Wireguard instead.
link
sureglymop 999 days ago
Not really, its just a few lines in your nftables/iptables rules. And sure, wireguard is great. It's just an underrated trick from decades ago. :)
link