Bastion server: use TCP forwarding VS placing private key on server












6















We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:





  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful





What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?










share|improve this question









New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    16 hours ago











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    16 hours ago













  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    16 hours ago













  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    16 hours ago








  • 1





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    16 hours ago
















6















We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:





  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful





What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?










share|improve this question









New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    16 hours ago











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    16 hours ago













  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    16 hours ago













  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    16 hours ago








  • 1





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    16 hours ago














6












6








6


2






We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:





  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful





What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?










share|improve this question









New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












We have bastion server B.
We need to SSH from A through B to C, using private key.



What is the better option:





  • Put the private SSH key on server B. We read that it's a bad idea to do that in a production environment.



    From here:




    Never place your SSH private keys on the bastion instance. Instead,
    use SSH agent forwarding to connect first to the bastion and from
    there to other instances in private subnets. This lets you keep your
    SSH private key just on your computer.





  • Use SSH agent forwarding. For setting up agent forwarding, I need to allow TCP Forwarding. When setting up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to the destination. In the Bastion settings at AWS:




    TCP forward: Setting this value to true will enable TCP forwarding
    (SSH tunneling). This can be very useful but it is also a security
    risk, so we recommend that you keep the default (disabled) setting
    unless required




    Also from here:




    SSH Agent Forwarding considered harmful





What is better? What about the alternative from the second link: ProxyCommand, I understand it helps with the socket file issue, but still I think I have to enable TCP forwarding, so is it secure enough?







linux ssh security private-key bastion






share|improve this question









New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 16 hours ago







user2503775













New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 18 hours ago









user2503775user2503775

1334




1334




New contributor




user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user2503775 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    16 hours ago











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    16 hours ago













  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    16 hours ago













  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    16 hours ago








  • 1





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    16 hours ago














  • 2





    With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

    – wurtel
    16 hours ago











  • Thanks. Were the configuration file should be? in my computer or in the Bastion?

    – user2503775
    16 hours ago













  • On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

    – wurtel
    16 hours ago













  • Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

    – user2503775
    16 hours ago








  • 1





    I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

    – MLu
    16 hours ago








2




2





With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

– wurtel
16 hours ago





With ProxyCommand you don't need to enable TCP forwarding. The forwarding is done by ssh on the intermediate host.

– wurtel
16 hours ago













Thanks. Were the configuration file should be? in my computer or in the Bastion?

– user2503775
16 hours ago







Thanks. Were the configuration file should be? in my computer or in the Bastion?

– user2503775
16 hours ago















On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

– wurtel
16 hours ago







On your local system, where you will be entering the ssh hostb command, so that it can lookup hostb in the local config and know that it needs to connect through hosta. It couldn't do that if you put the config on hosta...

– wurtel
16 hours ago















Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

– user2503775
16 hours ago







Where the private key of server C will be stored? also in my comp? I'm using keepass with keeAgent

– user2503775
16 hours ago






1




1





I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

– MLu
16 hours ago





I’m afraid you’re confusing TCP forwarding with Agent forwarding. They are different things.

– MLu
16 hours ago










2 Answers
2






active

oldest

votes


















9














Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer


























  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    16 hours ago











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    16 hours ago











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    16 hours ago











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    16 hours ago






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    16 hours ago



















3














Simply use SSH agent forwarding like most others do.




  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.


Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer


























  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    16 hours ago











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    16 hours ago











  • Indeed this is mixed up :-)

    – Huygens
    16 hours ago











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    16 hours ago













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user2503775 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958222%2fbastion-server-use-tcp-forwarding-vs-placing-private-key-on-server%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









9














Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer


























  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    16 hours ago











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    16 hours ago











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    16 hours ago











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    16 hours ago






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    16 hours ago
















9














Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer


























  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    16 hours ago











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    16 hours ago











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    16 hours ago











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    16 hours ago






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    16 hours ago














9












9








9







Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.






share|improve this answer















Use ProxyCommand or ProxyJump



I would recommend to use ProxyCommand (or even better ProxyJump as the syntax is easier but requires openssh 7.3+ I think on the client side), and you do not need to deploy private key on the Bastion, everything stays local.



Example with ProxyJump



On your client computer you write a file under ~/.ssh/config with a similar content to bellow:



Host bastion
HostName bastion.example.com
User bastion-user
Port 22
IdentityFile ~/.ssh/id_bastion

Host srvC
HostName srvC.local
User server-user
IdentityFile ~/.ssh/id_protected_lan
ProxyJump bastion


Then doing ssh srvC will connect you to C via B (bastion) without Agent Forwarding nor deploying the private key to the bastion.



In the above example, "bastion" is an alias to your Bastion host and srvC is an alias to your server C. In the HostName you need to put either IPs or real fully qualified domain name for your hosts. For the users, you need to update the User for the correct login name on the Bastion and server C. Finally the IdentityFile is optional if you use a local agent (e.g. KeeAgent or ssh-agent), but if it is not running then it will also work and ask you for each key passphrases.



Deploying the public keys



Of course you need to deploy the public keys to both bastion and srvC. You can use (the $ sign is just to illustrate the prompt, do not type it):



$ ssh-copy-id -i ~/.ssh/id_bastion.pub 
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
bastion
$ ssh-copy-id -i ~/.ssh/id_protected_lan.pub
-o PreferredAuthentications=password
-o PubkeyAuthentication=no
srvC


Note: the above will work only if password authentication is still allowed. After the above deployment and verifying that everything work as intended, you should disallow password authentication on the 2 servers.



Example with ProxyCommand instead of ProxyJump



If you have an older version of OpenSSH which does not support ProxyJump (on the client side), then replace:



ProxyJump bastion


by



ProxyCommand ssh -q -W %h:%p bastion


As far as I understood, this is similar.







share|improve this answer














share|improve this answer



share|improve this answer








edited 16 hours ago

























answered 16 hours ago









HuygensHuygens

1,18321432




1,18321432













  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    16 hours ago











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    16 hours ago











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    16 hours ago











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    16 hours ago






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    16 hours ago



















  • Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

    – user2503775
    16 hours ago











  • Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

    – Huygens
    16 hours ago











  • Some of them use PuTTy and others use ssh via Git Shell.

    – user2503775
    16 hours ago











  • @user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

    – Huygens
    16 hours ago






  • 1





    Thank you very much for the detailed answer!

    – user2503775
    16 hours ago

















Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

– user2503775
16 hours ago





Thank you! I work with linux, but we have some team members working on windows. It should work there as well, isn't it?

– user2503775
16 hours ago













Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

– Huygens
16 hours ago





Which SSH client are they going to use? OpenSSH (via WSL, or cygwin or etc.) or PuTTY (or another tool based on PuTTY) like MobaXterm?

– Huygens
16 hours ago













Some of them use PuTTy and others use ssh via Git Shell.

– user2503775
16 hours ago





Some of them use PuTTy and others use ssh via Git Shell.

– user2503775
16 hours ago













@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

– Huygens
16 hours ago





@user2503775 I have never tried it with PuTTY, but it seems to be possible using the ProxyCommand approach, see here: stackoverflow.com/a/28937185

– Huygens
16 hours ago




1




1





Thank you very much for the detailed answer!

– user2503775
16 hours ago





Thank you very much for the detailed answer!

– user2503775
16 hours ago













3














Simply use SSH agent forwarding like most others do.




  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.


Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer


























  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    16 hours ago











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    16 hours ago











  • Indeed this is mixed up :-)

    – Huygens
    16 hours ago











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    16 hours ago


















3














Simply use SSH agent forwarding like most others do.




  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.


Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer


























  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    16 hours ago











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    16 hours ago











  • Indeed this is mixed up :-)

    – Huygens
    16 hours ago











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    16 hours ago
















3












3








3







Simply use SSH agent forwarding like most others do.




  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.


Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)






share|improve this answer















Simply use SSH agent forwarding like most others do.




  • The keys will be in ssh agent on your laptop.

  • You login to bastion, authenticated through the agent.

  • From there login to you target host, with authentication request forwarded back to your laptop.


Advantage: there are no keys stored on the bastion that can be misused.



Hope that helps :)







share|improve this answer














share|improve this answer



share|improve this answer








edited 16 hours ago

























answered 16 hours ago









MLuMLu

9,08212344




9,08212344













  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    16 hours ago











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    16 hours ago











  • Indeed this is mixed up :-)

    – Huygens
    16 hours ago











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    16 hours ago





















  • Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

    – Huygens
    16 hours ago











  • @Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

    – MLu
    16 hours ago











  • Indeed this is mixed up :-)

    – Huygens
    16 hours ago











  • It's not mixed. I understand the difference. I edited the question to make it clear.

    – user2503775
    16 hours ago



















Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

– Huygens
16 hours ago





Hi, that is basically what the OP describes in his/her second bullet. I advise you check the second link provided in the question.

– Huygens
16 hours ago













@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

– MLu
16 hours ago





@Huygens true I noticed now. I overloked that as he mixes together TCP forwarding with Agent forwarding.

– MLu
16 hours ago













Indeed this is mixed up :-)

– Huygens
16 hours ago





Indeed this is mixed up :-)

– Huygens
16 hours ago













It's not mixed. I understand the difference. I edited the question to make it clear.

– user2503775
16 hours ago







It's not mixed. I understand the difference. I edited the question to make it clear.

– user2503775
16 hours ago












user2503775 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















user2503775 is a new contributor. Be nice, and check out our Code of Conduct.













user2503775 is a new contributor. Be nice, and check out our Code of Conduct.












user2503775 is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958222%2fbastion-server-use-tcp-forwarding-vs-placing-private-key-on-server%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?