Securely SSH a server from an intermediary remote machine (possibly with Yubikey)
I am doing remote devevelop on a remote dev machine. From the remote machine, I need to SSH to other servers and services like the Github. Everything is on the Internet. My desktop is much more secure than the remote dev machine and so I don't want to have private SSH keys lying on the remote dev machine.
The diagram looks like this:
Windows Desktop -> Remote Dev Machine -> Github/other servers.
I feel I have several options here:
- SSH Agent Forwarding with Yubikey authentication:
ssh -A remote_dev
The problem of this approach is that my desktop ssh-agent contains a lot of keys. I want to forward only specific keys to the remote dev machine. For example, I only want the github key made available to the remote machine. But strangely, I haven't found a way to forward only specific keys.
- SSH Jump: On the remote dev machine, I do
ssh -J my_desktop github.com
It seems safer and it probably works with Yubikey. But I need to open up SSH access to my desktop, which is a risk.
- Ideally, I would like the private keys that will be used on the remote dev machine to either have to be authenticated with the Yubikey, or even better, physically stored on the Yubikey. But I don't know Yubikey will work with the remote machine. Maybe some remote USB forwarding can work?
None of these seem ideal. Does anyone have ideas?
