| Version 10 (modified by , 10 years ago) (diff) |
|---|
How To Forward Your SSH Agent
In GENI, it regularly comes up that folks want to login into one remote node from their local machine, then log into a second remote node directly from the first remote node. The tricky bit is that the first remote node does not have your private ssh key and so you can't login to the second remote node.
Instead you need to enable ssh agent forwarding when you log into the first remote node.
If you are using ssh via a command line, you can simply add the -A option to your usual ssh command when you log into the first remote node. This feature is particularly useful for working around a firewall.
To summarize, the following sequence of commands should work:
local> ssh -A -i ~/.ssh/id_rsa firstnode.example.com firstnode> ssh secondnode.example.com secondnode>
If you are not using a command line ssh client you will need to find the appropriate option on your particular client. Some poking around and googling should readily turn up the answer for your client.
SSH Config
If you are using an SSH configuration file, you can use the ForwardAgent command in your .ssh/config to perform the equivalent action as using -A on the command line.
Host myserver ForwardAgent yes
References
man ssh includes this:
-A Enables forwarding of the authentication agent connection. This
can also be specified on a per-host basis in a configuration
file.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's UNIX-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
