| 1 | = How To Login to One Computer from Another = |
| 2 | |
| 3 | In GENI, it regularly comes up that folks want to login into one remote node from their local machine, then log into a second remote node directly from the first remote node. |
| 4 | |
| 5 | To do this, you need to enable ssh agent forwarding when you log into the first remote node. |
| 6 | |
| 7 | If you are using ssh via a command line, you can simply add the `-A` option to your usual `ssh` command when you log into the ''first'' remote node. This is mentioned in passing on the How To page for logging into nodes (search for "agent" in [2]). |
| 8 | |
| 9 | To summarize, the following sequence of commands should work: |
| 10 | {{{ |
| 11 | local> ssh -A -i ~/.ssh/id_rsa firstnode.example.com |
| 12 | firstnode> ssh secondnode.example.com |
| 13 | secondnode> |
| 14 | }}} |
| 15 | |
| 16 | If you are not using a command line ssh client you will need to find the appropriate option on your particular client. Hopefully some poking around and googling will readily turn up the answer. |
| 17 | |
| 18 | == References == |
| 19 | `man ssh` includes this: |
| 20 | {{{ |
| 21 | -A Enables forwarding of the authentication agent connection. This |
| 22 | can also be specified on a per-host basis in a configuration |
| 23 | file. |
| 24 | |
| 25 | Agent forwarding should be enabled with caution. Users with the |
| 26 | ability to bypass file permissions on the remote host (for the |
| 27 | agent's UNIX-domain socket) can access the local agent through |
| 28 | the forwarded connection. An attacker cannot obtain key material |
| 29 | from the agent, however they can perform operations on the keys |
| 30 | that enable them to authenticate using the identities loaded into |
| 31 | the agent. |
| 32 | }}} |