SSH Agent Forwarding vs ProxyJump: Why Agent Forwarding Is Dangerous and What to Use Instead

Из ленты dev.to devops — кратко, чтобы не потерять.

Thousands of tutorials recommend ForwardAgent yes . Most of them don’t tell you what it actually does to your security posture. Here’s the full picture. You need to SSH from your laptop to a bastion, then from the bastion to an internal server. You’ve seen the solution in a dozen tutorials: Host bastion ForwardAgent yes It works. It’s convenient. And it creates a security hole that could let anyone with root on the bastion impersonate you to every server your key unlocks — for as long as your session is open. This isn’t a theoretical risk. It’s a well-documented attack vector with a name: SSH agent hijacking . And the fix — ProxyJump — has been available since 2017 and solves the same problem without the exposure. This article explains exactly what agent forwarding does under the hood, why

Полный текст и контекст у первоисточника: https://dev.to/mahafuz/ssh-agent-forwarding-vs-proxyjump-why-agent-forwarding-is-dangerous-and-what-to-use-instead-1no6