On Wed, 5 Oct 2011 09:14:41 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
On Wed, Oct 05, 2011 at 09:36:12AM -0600, Kevin Fenzi wrote:
On Tue, 4 Oct 2011 08:19:55 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
One time when I've found agent forwarding unavoidable is when working on development of code hosted in fedorahosted. Checkouts can be done anonymously, but pushing changes back to fedorahosted needs an authenticated ssh connection. This counts as copying things between machines but it's common enough for what I do in infrastructure that I'd love to figure out some way around it.
Hum... not sure I understand. Which two internal machines would this be copying between?
For instance, app01.dev and fedorahosted.org
Ah, ok.
I guess the only alternative there would be copying down to your local machine and up to the other one. That could end up being a lot slower and is also two steps instead of one. ;(
One possible compromise: go ahead and use ssh agent forwarding, but after you login, do a 'ssh-add -D' to drop all your keys. Then, when/if you need to make a copy connection it should ask for your passphrase to unlock the key again. If someone tries to hyjack your agent connection, you would see the request to unlock the key and could reject it.
kevin