We accomplish this using the Prox圜ommand configuration option. Ssh supports proxying encrypted traffic through one (or many) intermediate servers, where each server adds a layer of encryption instead of decrypting and re-encrypting the traffic. Finally, invoking ssh on the bastion does not use your local ~/.ssh/known_hosts file or Krypton’s pinned host public keys for authenticating remote hosts. Agent forwarding also leaves a socket open on the bastion that connects back to your local ssh-agent, potentially allowing other users to use your local private keys. In this case, your ssh session is decrypted on the bastion host, then re-encrypted to your local machine, meaning that anyone with access to the bastion host can potentially read or hijack your ssh session. Agent Forwarding is InsecureĪ common, but dangerous, practice in using bastion hosts is to first ssh into the bastion with agent forwarding enabled (the -A flag), then ssh into the destination server. The only way to log in to one of the servers is to pass traffic through the bastion host, and ssh provides multiple ways to accomplish this. Then a single bastion server is added to the network and is the only server accessible outside of the private network. Many companies set up a group of servers in a private network that blocks all incoming traffic. A bastion host is a server that acts as a gateway between you and the servers you are logging in to.