Chris's Wiki :: blog/sysadmin/SSHIdentitiesOffered Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/SSHIdentitiesOffered?atomcommentsDWiki2016-01-31T06:29:45ZRecent comments in Chris's Wiki :: blog/sysadmin/SSHIdentitiesOffered.By Chris Siebenmann on /blog/sysadmin/SSHIdentitiesOfferedtag:CSpace:blog/sysadmin/SSHIdentitiesOffered:88f67eadad894736277a060ad7c79a8ea2c744eeChris Siebenmann<div class="wikitext"><p>I think that should work on a bastion server, but note that that just
limits what the ssh on the bastion server does. An attacker on the
bastion server (still) has full access to all of your ssh-agent keys.</p>
</div>2016-01-31T06:29:45ZBy Grant on /blog/sysadmin/SSHIdentitiesOfferedtag:CSpace:blog/sysadmin/SSHIdentitiesOffered:5f93cd1892697f830d7c445a9f105006801452afGranthttp://dotfiles.tnetconsulting.net/home.html<div class="wikitext"><p>Nice post Chris.</p>
<p>I wonder what would happen if you have a catch all Host * stanza at the end of your ssh config file that includes IdentitiesOnly=yes and IdentityFile=~/.ssh/id_rsa</p>
<p>I like the idea that it's possible to use agent forwarding with public keys copied to a bastion server such that you can then use IdentitiesOnly from the bastion. (Correct me if I'm wrong.)</p>
</div>2016-01-31T04:21:57Z