Bastion server: use TCP forwarding VS placing private key on server
We have bastion server B.
We need to SSH from A through B to C, using private key.
What is the better option:
Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.
From here:
Never place your SSH private keys on the bastion instance. Instead,
use SSH agent forwarding to connect first to the bastion and from
there to other instances in private subnets. This lets you keep your
SSH private key just on your computer.
Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:
TCP forward: Setting this value to true will enable TCP forwarding
(SSH tunneling). This can be very useful but it is also a security
risk, so we recommend that you keep the default (disabled) setting
unless required
Also from here:
SSH Agent Forwarding considered harmful
What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?
linux ssh security private-key bastion
asked 18 hours ago
user2503775user2503775
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 2 more comments
We have bastion server B.
We need to SSH from A through B to C, using private key.
What is the better option:
Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.
From here:
Never place your SSH private keys on the bastion instance. Instead,
use SSH agent forwarding to connect first to the bastion and from
there to other instances in private subnets. This lets you keep your
SSH private key just on your computer.
Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:
TCP forward: Setting this value to true will enable TCP forwarding
(SSH tunneling). This can be very useful but it is also a security
risk, so we recommend that you keep the default (disabled) setting
unless required
Also from here:
SSH Agent Forwarding considered harmful
What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?
linux ssh security private-key bastion
asked 18 hours ago
user2503775user2503775
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.
– wurtel
16 hours ago
Thanks. Were the configuration file should be? in my computer or in the Bastion?
– user2503775
16 hours ago
On your local system, where you will be entering thessh hostbcommand, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...
– wurtel
16 hours ago
Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent
– user2503775
16 hours ago
1
I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.
– MLu
16 hours ago
|
show 2 more comments
We have bastion server B.
We need to SSH from A through B to C, using private key.
What is the better option:
Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.
From here:
Never place your SSH private keys on the bastion instance. Instead,
use SSH agent forwarding to connect first to the bastion and from
there to other instances in private subnets. This lets you keep your
SSH private key just on your computer.
Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:
TCP forward: Setting this value to true will enable TCP forwarding
(SSH tunneling). This can be very useful but it is also a security
risk, so we recommend that you keep the default (disabled) setting
unless required
Also from here:
SSH Agent Forwarding considered harmful
What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?
linux ssh security private-key bastion
asked 18 hours ago
user2503775user2503775
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
We have bastion server B.
We need to SSH from A through B to C, using private key.
What is the better option:
Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.
From here:
Never place your SSH private keys on the bastion instance. Instead,
use SSH agent forwarding to connect first to the bastion and from
there to other instances in private subnets. This lets you keep your
SSH private key just on your computer.
Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:
TCP forward: Setting this value to true will enable TCP forwarding
(SSH tunneling). This can be very useful but it is also a security
risk, so we recommend that you keep the default (disabled) setting
unless required
Also from here:
SSH Agent Forwarding considered harmful
What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?
linux ssh security private-key bastion
linux ssh security private-key bastion
asked 18 hours ago
user2503775user2503775
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 18 hours ago
user2503775user2503775
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 16 hours ago
user2503775
asked 18 hours ago
user2503775user2503775
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 18 hours ago
user2503775user2503775
1334
asked 18 hours ago
user2503775user2503775
1334
1334
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.
– wurtel
16 hours ago
Thanks. Were the configuration file should be? in my computer or in the Bastion?
– user2503775
16 hours ago
On your local system, where you will be entering thessh hostbcommand, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...
– wurtel
16 hours ago
Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent
– user2503775
16 hours ago
1
I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.
– MLu
16 hours ago
|
show 2 more comments
2
With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.
– wurtel
16 hours ago
Thanks. Were the configuration file should be? in my computer or in the Bastion?
– user2503775
16 hours ago
On your local system, where you will be entering thessh hostbcommand, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...
– wurtel
16 hours ago
Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent
– user2503775
16 hours ago
1
I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.
– MLu
16 hours ago
2
2
With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.
– wurtel
16 hours ago
With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.
– wurtel
16 hours ago
Thanks. Were the configuration file should be? in my computer or in the Bastion?
– user2503775
16 hours ago
Thanks. Were the configuration file should be? in my computer or in the Bastion?
– user2503775
16 hours ago
On your local system, where you will be entering the
ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...– wurtel
16 hours ago
On your local system, where you will be entering the
ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...– wurtel
16 hours ago
Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent
– user2503775
16 hours ago
Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent
– user2503775
16 hours ago
1
1
I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.
– MLu
16 hours ago
I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.
– MLu
16 hours ago
|
show 2 more comments
2 Answers
2
active
oldest
votes
Use ProxyCommand or ProxyJump
I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.
Example with ProxyJump
On your client computer you write a file under ~/.ssh/config with a similar content to bellow:
Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion
Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion
Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.
In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.
Deploying the public keys
Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):
$ ssh-copy-id -i ~/.ssh/id_bastion.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC
Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.
Example with ProxyCommand instead of ProxyJump
If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:
ProxyJump bastion
by
ProxyCommand ssh -q -W %h:%p bastion
As far as I understood, this is similar.
answered 16 hours ago
HuygensHuygens
1,18321432
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
1
Thank you very much for the detailed answer!
– user2503775
16 hours ago
|
show 1 more comment
Simply use SSH agent forwarding like most others do.
- The keys will be in ssh agent on your laptop.
- You login to bastion, authenticated through the agent.
- From there login to you target host, with authentication request forwarded back to your laptop.
Advantage: there are no keys stored on the bastion that can be misused.
Hope that helps :)
answered 16 hours ago
MLuMLu
9,08212344
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
user2503775 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958222%2fbastion-server-use-tcp-forwarding-vs-placing-private-key-on-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Use ProxyCommand or ProxyJump
I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.
Example with ProxyJump
On your client computer you write a file under ~/.ssh/config with a similar content to bellow:
Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion
Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion
Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.
In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.
Deploying the public keys
Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):
$ ssh-copy-id -i ~/.ssh/id_bastion.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC
Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.
Example with ProxyCommand instead of ProxyJump
If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:
ProxyJump bastion
by
ProxyCommand ssh -q -W %h:%p bastion
As far as I understood, this is similar.
answered 16 hours ago
HuygensHuygens
1,18321432
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
1
Thank you very much for the detailed answer!
– user2503775
16 hours ago
|
show 1 more comment
Use ProxyCommand or ProxyJump
I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.
Example with ProxyJump
On your client computer you write a file under ~/.ssh/config with a similar content to bellow:
Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion
Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion
Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.
In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.
Deploying the public keys
Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):
$ ssh-copy-id -i ~/.ssh/id_bastion.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC
Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.
Example with ProxyCommand instead of ProxyJump
If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:
ProxyJump bastion
by
ProxyCommand ssh -q -W %h:%p bastion
As far as I understood, this is similar.
answered 16 hours ago
HuygensHuygens
1,18321432
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
1
Thank you very much for the detailed answer!
– user2503775
16 hours ago
|
show 1 more comment
Use ProxyCommand or ProxyJump
I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.
Example with ProxyJump
On your client computer you write a file under ~/.ssh/config with a similar content to bellow:
Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion
Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion
Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.
In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.
Deploying the public keys
Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):
$ ssh-copy-id -i ~/.ssh/id_bastion.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC
Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.
Example with ProxyCommand instead of ProxyJump
If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:
ProxyJump bastion
by
ProxyCommand ssh -q -W %h:%p bastion
As far as I understood, this is similar.
answered 16 hours ago
HuygensHuygens
1,18321432
Use ProxyCommand or ProxyJump
I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.
Example with ProxyJump
On your client computer you write a file under ~/.ssh/config with a similar content to bellow:
Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion
Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion
Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.
In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.
Deploying the public keys
Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):
$ ssh-copy-id -i ~/.ssh/id_bastion.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC
Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.
Example with ProxyCommand instead of ProxyJump
If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:
ProxyJump bastion
by
ProxyCommand ssh -q -W %h:%p bastion
As far as I understood, this is similar.
answered 16 hours ago
HuygensHuygens
1,18321432
edited 16 hours ago
answered 16 hours ago
HuygensHuygens
1,18321432
answered 16 hours ago
HuygensHuygens
1,18321432
answered 16 hours ago
HuygensHuygens
1,18321432
1,18321432
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
1
Thank you very much for the detailed answer!
– user2503775
16 hours ago
|
show 1 more comment
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
1
Thank you very much for the detailed answer!
– user2503775
16 hours ago
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?
– user2503775
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?
– Huygens
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
Some of them use PuTTy and others use ssh via Git Shell.
– user2503775
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185
– Huygens
16 hours ago
1
1
Thank you very much for the detailed answer!
– user2503775
16 hours ago
Thank you very much for the detailed answer!
– user2503775
16 hours ago
|
show 1 more comment
Simply use SSH agent forwarding like most others do.
- The keys will be in ssh agent on your laptop.
- You login to bastion, authenticated through the agent.
- From there login to you target host, with authentication request forwarded back to your laptop.
Advantage: there are no keys stored on the bastion that can be misused.
Hope that helps :)
answered 16 hours ago
MLuMLu
9,08212344
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
add a comment |
Simply use SSH agent forwarding like most others do.
- The keys will be in ssh agent on your laptop.
- You login to bastion, authenticated through the agent.
- From there login to you target host, with authentication request forwarded back to your laptop.
Advantage: there are no keys stored on the bastion that can be misused.
Hope that helps :)
answered 16 hours ago
MLuMLu
9,08212344
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
add a comment |
Simply use SSH agent forwarding like most others do.
- The keys will be in ssh agent on your laptop.
- You login to bastion, authenticated through the agent.
- From there login to you target host, with authentication request forwarded back to your laptop.
Advantage: there are no keys stored on the bastion that can be misused.
Hope that helps :)
answered 16 hours ago
MLuMLu
9,08212344
Simply use SSH agent forwarding like most others do.
- The keys will be in ssh agent on your laptop.
- You login to bastion, authenticated through the agent.
- From there login to you target host, with authentication request forwarded back to your laptop.
Advantage: there are no keys stored on the bastion that can be misused.
Hope that helps :)
answered 16 hours ago
MLuMLu
9,08212344
edited 16 hours ago
answered 16 hours ago
MLuMLu
9,08212344
answered 16 hours ago
MLuMLu
9,08212344
answered 16 hours ago
MLuMLu
9,08212344
9,08212344
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
add a comment |
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.
– Huygens
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.
– MLu
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
Indeed this is mixed up :-)
– Huygens
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
It's not mixed. I understand the difference. I edited the question to make it clear.
– user2503775
16 hours ago
add a comment |
user2503775 is a new contributor. Be nice, and check out our Code of Conduct.
user2503775 is a new contributor. Be nice, and check out our Code of Conduct.
user2503775 is a new contributor. Be nice, and check out our Code of Conduct.
user2503775 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958222%2fbastion-server-use-tcp-forwarding-vs-placing-private-key-on-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.
– wurtel
16 hours ago
Thanks. Were the configuration file should be? in my computer or in the Bastion?
– user2503775
16 hours ago
On your local system, where you will be entering the
ssh hostbcommand, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...– wurtel
16 hours ago
Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent
– user2503775
16 hours ago
1
I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.
– MLu
16 hours ago