SSH - Agent Forwarding (Forward Key)
About
agent forwarding is a mechanism whereby an SSH client allows an SSH server to use the local agent on the server, the user logs into, as if it was local there.
We say that the private key is forwarded to the server1 in order to connect from server1 to server2.
Articles Related
Process
When a user request a connection to a second server from an SSH client on a first server server (the server client):
- the server client will forward the request to the agent running on the server (the server agent)
- the server agent will forward the request to the client (the local client)
- the local client will forward the request to the agent running on the laptop (the local agent).
agent and agent forwarding implement then single sign-on
Steps
- configure your environment. See configuration
- from your laptop, make a SSH connection to the first server
- Verify that you got login via your local agent. You should see on the screen
Authenticating with public key "rsa-key-..." from agent
- Example with Putty
- Verify that the client forward configuration has started an agent on the server. The echo command should show a value.
echo "$SSH_AUTH_SOCK"
/tmp/ssh-e6Kf8qZYDv/agent.16521
- Then try to connect to another server and you should be able to connect.
ssh my-server-hostname
Configuration
To use agent forwarding:
- the ForwardAgent option must be set to yes on:
- the local client
- the server client (generally ssh)
- the AllowAgentForwarding option must be set to yes on the server (default)
Server
sshd
Normally, no configuration should be made as the default configuration for AllowAgentForwarding is yes. See this page for the default value
You can check it on your server with this command if you are using the sshd server
sshd -T | grep -i allowagentforwarding
allowagentforwarding yes
otherwise you need to change the configuration file with the following value
AllowAgentForwarding yes
Client
Ssh
Configuration of the ssh client:
- Create/Open the file ~/.ssh/config.
- Configures SSH agent forwarding for the specified Server1HostName by adding the following text to the config file
Host Server1HostName
ForwardAgent yes
# or for all server
Host *
ForwardAgent yes
Putty
Configuration of SSH - Putty (telnet, ssh client) called
Putty via Winscp
- Go to Winscp > Options > Preferences
- And allow forwarding be giving the -A option
Putty direct
- Set the agent forwarding option:
- Save the default settings