SSH - Agent Forwarding (Forward Key)

About

agent forwarding is a mechanism whereby an SSH client allows an SSH server to use the local agent on the server, the user logs into, as if it was local there.

We say that the private key is forwarded to the server1 in order to connect from server1 to server2.

Articles Related

Process

When a user request a connection to a second server from an SSH client on a first server server (the server client):

• the server client will forward the request to the agent running on the server (the server agent)
• the server agent will forward the request to the client (the local client)
• the local client will forward the request to the agent running on the laptop (the local agent).

agent and agent forwarding implement then single sign-on

Steps

• configure your environment. See configuration
• from your laptop, make a SSH connection to the first server
• Verify that you got login via your local agent. You should see on the screen

Authenticating with public key "rsa-key-..." from agent

• Example with Putty

• Verify that the client forward configuration has started an agent on the server. The echo command should show a value.

echo "$SSH_AUTH_SOCK"

/tmp/ssh-e6Kf8qZYDv/agent.16521

• Then try to connect to another server and you should be able to connect.

ssh  my-server-hostname

Configuration

To use agent forwarding:

• the ForwardAgent option must be set to yes on:
  • the local client
  • the server client (generally ssh)
• the AllowAgentForwarding option must be set to yes on the server (default)

Server

sshd

You can check it on your server with this command if you are using the sshd server

sshd -T | grep -i allowagentforwarding

allowagentforwarding yes

otherwise you need to change the configuration file with the following value

AllowAgentForwarding yes

Client

Ssh

Configuration of the ssh client:

• Create/Open the file ~/.ssh/config.
• Configures SSH agent forwarding for the specified Server1HostName by adding the following text to the config file

Host Server1HostName
   ForwardAgent yes
# or for all server
 Host *
   ForwardAgent yes

Putty

Configuration of SSH - Putty (telnet, ssh client) called

• from winscp
• or directly

Putty via Winscp

• Go to Winscp > Options > Preferences
• And allow forwarding be giving the -A option

Putty direct

• Set the agent forwarding option:

• Save the default settings

Documentation / Reference

• https://www.ssh.com/ssh/agent#sec-SSH-Agent-Forwarding
• https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix#configure-ssh-agent-forwarding