From c27fd740755873198e75574978df75390dc3b9cb Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 28 Dec 2018 11:30:18 +0100
Subject: [PATCH] Don't use SSH agent

---
 README.md                              | 10 ++++++++--
 group_vars/horus/ssh_through_proxy.yml |  2 --
 2 files changed, 8 insertions(+), 4 deletions(-)
 delete mode 100644 group_vars/horus/ssh_through_proxy.yml

diff --git a/README.md b/README.md
index 90edbb4..11e0641 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,9 @@ Il faut changer la variable d'environnement suivante :
 
 ### Configurer la connexion au bastion
 
+Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
+
+On va utiliser plutôt ProxyCommand.
 Dans la configuration SSH :
 
 ```
@@ -41,7 +44,10 @@ Host proxy.auro.re
     ControlMaster auto
     ControlPath ~/.ssh/%r@%h:%p
 
-Host *.auro.re 10.128.0.*
+# Use a key to log on all Aurore servers
+# and use a bastion
+Host 10.128.0.*
     IdentityFile ~/.ssh/id_rsa_aurore
-    ForwardAgent yes
+    ProxyCommand ssh -q -W %h:%p proxy.auro.re
 ```
+
diff --git a/group_vars/horus/ssh_through_proxy.yml b/group_vars/horus/ssh_through_proxy.yml
deleted file mode 100644
index 8421c4c..0000000
--- a/group_vars/horus/ssh_through_proxy.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_ssh_extra_args: -o ProxyCommand='ssh -W %h:%p -q proxy.auro.re'