Multiple, chained partially trusted machines
Opened this issue · 1 comments
I'm trying to understand whether guardian-agent supports the following setup:
Local, trusted machine
-> Partially trusted jumphost
-> Admin server
-> End-machine
Not sure if I can 'chain' sga-guard or if there's some way.
I'm trying to run ansible from the 'admin server' against end machines.
ansible supports the variable:
ssh_executable="/usr/local/bin/sga-ssh"
But it appears:
- Currently the agent trust doesn't pass along that full chain
- I'm unable to run sga-guard from jumphost -> admin server
I think that the jumphost scenario can be handled together with ssh's ProxyCommand/ProxyJump (still allowing you to get the security benefits of Guardian Agent):
On the local (trusted) machine, you can run:
sga-guard -o ProxyCommand="ssh -W %h:%p <jumphost>" <admin-server>
sga-guard uses OpenSSH's ProxyCommand option to connect to <admin-server> through <jumphost> (note that the connection is encrypted end-to-end and the identity of the remote server is verified against the local .known_hosts file, so you're safe here).
Then, you can run sga-ssh on the admin server against the end machines (and I think also using ansible).
For additional information about the ProxyCommand option, have a look here.
P.S. Recent versions of OpenSSH have a shortcut for the ProxyCommand option in the form of the -J flag. I'm going to make a small fix to guardian agent so you can use this flag with guardian agent (instead of the longer -o ProxyCommand...).
Hope this helps.