| From: Scott Sullivan via talk <talk@gtalug.org> | Dropping your public keys, and 'ForwardAgent yes' in .ssh/config in ever | user/system along the proxy chain means you can have a single SSH command take | you all the way to the end of the chain without being prompted for a password | at each hop. I felt guilty leaving this out of my previous message: When you do a normal SSH into a host, you are not trusting that host much. (Of course things you actually do in your session could involve trust.) If you use -A (same as ForwardAgent yes), you are allowing the host to use your private key in dealing with other hosts. If the first host were subverted, you could be in trouble. For that reason I use -A sparingly. When you use -X (ForwardX11) feature, you are also trusting the host. X isn't a particularly safe protocol. So I use this sparingly too. In my .ssh/config: <<< # default dangerous things to "off" for hosts outside mimosa.com Host *.mimosa.com ForwardAgent yes ForwardX11 yes Host * ForwardAgent no ForwardX11 no