Multiple, chained partially trusted machines

[MikeSchroll]

I'm trying to understand whether guardian-agent supports the following setup:

Local, trusted machine
  -> Partially trusted jumphost
       -> Admin server
            -> End-machine

Not sure if I can 'chain' sga-guard or if there's some way.

I'm trying to run ansible from the 'admin server' against end machines.
ansible supports the variable:
ssh_executable="/usr/local/bin/sga-ssh"

But it appears:

1. Currently the agent trust doesn't pass along that full chain
2. I'm unable to run sga-guard from jumphost -> admin server

[dimakogan]

I think that the jumphost scenario can be handled together with ssh's ProxyCommand/ProxyJump (still allowing you to get the security benefits of Guardian Agent):
On the local (trusted) machine, you can run:

sga-guard -o ProxyCommand="ssh  -W %h:%p <jumphost>" <admin-server>

sga-guard uses OpenSSH's ProxyCommand option to connect to <admin-server> through <jumphost> (note that the connection is encrypted end-to-end and the identity of the remote server is verified against the local .known_hosts file, so you're safe here).
Then, you can run sga-ssh on the admin server against the end machines (and I think also using ansible).

For additional information about the ProxyCommand option, have a look here.

P.S. Recent versions of OpenSSH have a shortcut for the ProxyCommand option in the form of the -J flag. I'm going to make a small fix to guardian agent so you can use this flag with guardian agent (instead of the longer -o ProxyCommand...).

Hope this helps.