Version 10 (modified by, 7 years ago) (diff)


How To Forward Your SSH Agent

In GENI, it regularly comes up that folks want to login into one remote node from their local machine, then log into a second remote node directly from the first remote node. The tricky bit is that the first remote node does not have your private ssh key and so you can't login to the second remote node.

Instead you need to enable ssh agent forwarding when you log into the first remote node.

If you are using ssh via a command line, you can simply add the -A option to your usual ssh command when you log into the first remote node. This feature is particularly useful for working around a firewall.

To summarize, the following sequence of commands should work:

local> ssh -A -i ~/.ssh/id_rsa
firstnode> ssh

If you are not using a command line ssh client you will need to find the appropriate option on your particular client. Some poking around and googling should readily turn up the answer for your client.

SSH Config

If you are using an SSH configuration file, you can use the ForwardAgent command in your .ssh/config to perform the equivalent action as using -A on the command line.

Host myserver
  ForwardAgent yes


man ssh includes this:

     -A      Enables forwarding of the authentication agent connection.  This
             can also be specified on a per-host basis in a configuration

             Agent forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             agent's UNIX-domain socket) can access the local agent through
             the forwarded connection.  An attacker cannot obtain key material
             from the agent, however they can perform operations on the keys
             that enable them to authenticate using the identities loaded into
             the agent.