Earlier today I saw this article on LWN.net (via lobste.rs) about a new feature in OpenSSH 8.9, SSH agent restriction, that will allow you to restrict the hosts your keys can be used on with
As a daily user of SSH (Secure SHell) I am a big fan of using SSH keys over passwords. Keys are more secure than passwords and by using
ssh-agent you can enter your passphrase once, leaving you free to
ssh all over the place without constantly typing your passwords.
This new restriction feature looks to quite useful if you’re using agent forwarding through a bastion host. You will be able to specify which hosts the keys will authenticate with and even through which hops. The links above have some great examples and much more information into how it works.
A number of people in the comments of that article pointed out that you can use the SSH config option
-J on the commandline. With agent-forwarding through a bastion a user would normally
ssh to the bastion and then
ssh again to the desired host. This creates two encrypted connections. Using
ProxyJump, however, works by getting the bastion to forward the first encrypted connection without breaking it. From your terminal you can incant
ssh -J user@bastion user@host
This will open a connection with “host” in one go. Especially useful if you don’t trust the bastion.
ProxyJump quite a lot. Hopping through a bastion is common practice when you have isolated networks. I also use it with my LXC containers, by jumping through the host server into the container. To achieve that my
~/.ssh/config looks something like this
Host mainframe HostName 188.8.131.52 Port 2222 Host lxc1 HostName 10.0.3.24 ProxyJump mainframe Host lxc2 HostName 10.0.3.50 ProxyJump mainframe
With this config I can
ssh straight to my containers with one encrypted connection through the host.
I will still be interested in the agent restriction feature when it comes in, and if you know of any other useful SSH tricks I would love to hear them.