SSH - Agent Forwarding (Forward Key)

> SSH (Secure Shell) - Remote Access

1 - About

agent forwarding is a mechanism whereby an SSH client allows an SSH server to use the local agent on the server, the user logs into, as if it was local there.

We say that the private key is forwarded to the server1 in order to connect from server1 to server2.

Advertising

3 - Process

When a user request a connection to a second server from an SSH client on a first server server (the server client):

  • the server client will forward the request to the agent running on the server (the server agent)
  • the server agent will forward the request to the client (the local client)
  • the local client will forward the request to the agent running on the laptop (the local agent).

agent and agent forwarding implement then single sign-on

3.1 - Steps

  • configure your environment. See configuration
  • from your laptop, make a SSH connection to the first server
  • Verify that you got login via your local agent. You should see on the screen
Authenticating with public key "rsa-key-..." from agent
  • Example with Putty

  • Verify that the client forward configuration has started an agent on the server. The echo command should show a value.
echo "$SSH_AUTH_SOCK"
/tmp/ssh-e6Kf8qZYDv/agent.16521
  • Then try to connect to another server and you should be able to connect.
ssh  my-server-hostname
Advertising

4 - Configuration

To use agent forwarding:

  • the ForwardAgent option must be set to yes on:
    • the local client
    • the server client (generally ssh)
  • the AllowAgentForwarding option must be set to yes on the server (default)

4.1 - Server

4.1.1 - sshd

Normally, no configuration should be made as the default configuration for AllowAgentForwarding is yes. See this page for the default value

You can check it on your server with this command if you are using the sshd server

sshd -T | grep -i allowagentforwarding
allowagentforwarding yes

otherwise you need to change the configuration file with the following value

/etc/ssh/sshd_config
AllowAgentForwarding yes
Advertising

4.2 - Client

4.2.1 - Ssh

Configuration of the ssh client:

  • Create/Open the file ~/.ssh/config.
  • Configures SSH agent forwarding for the specified Server1HostName by adding the following text to the config file
~/.ssh/config
 Host Server1HostName
   ForwardAgent yes
# or for all server
 Host *
   ForwardAgent yes

4.2.2 - Putty

Configuration of SSH - Putty (telnet, ssh client) called

4.2.2.1 - Putty via Winscp
  • Go to Winscp > Options > Preferences
  • And allow forwarding be giving the -A option

4.2.2.2 - Putty direct
  • Set the agent forwarding option:

  • Save the default settings

5 - Documentation / Reference

ssh/forwarding.txt · Last modified: 2019/01/23 15:56 by gerardnico