SSH Agent Forwarding is used to share ssh keys with a remote computer.
You SSH into a remote computer, and from there, you need to access a remote server that requires your ssh keys. A typical example of this is cloning a repository on a remote computer. However, you don’t want to copy your local ssh keys to the remote server or create new ones. SSH Agent Forwarding allows a remote computer to use your local SSH keys without leaving your credentials on the remote computer.
SSH Agent: A program that keeps track of identity keys and passphrases. The SSH Agent is needed for Agent Forwarding. You can use SSH Agent to remember your SHH passphrase; therefore, you don’t need to type your passphrase each time you use your private key. This post does not cover passphrases.
SSH Agent Forwarding: A feature of SSH that allows an SSH server on the remote computer to use the client’s SSH Agent to access SSH keys on the local computer.
SSH Agent Setup Steps:
- Start the SSH Agent on your local computer
- Add your ssh leys to the agent
- Connect to the remote computer via SSH with forwarding turned on
In the example below I will share SSH keys with a remote computer to access a git repository.
- Verify the local computer has SSH access to Github using the
- SSH into the remote computer and verify it does not have access to Github. On the remote computer, we will receive a ‘permission denied’ error from Github because the remote computer does not have my SSH credentials.
- On the local computer, check if the SSH Agent is running by displaying the $SSH_AGENT_ID environment variable. If it’s running, the agent process ID will be displayed. If it’s not running, blank will be returned.
- On the local computer, start the SSH Agent using the
evalcommand. On success, the Agent process ID will be displayed.
- On the local computer, list SSH identifies assigned to the agent using
ssh-add -l. Since the SSH was just started, no identities will be returned.
- Add the SSH identities, aka SSH keys, defined in the ~/.ssh folder with
ssh-add. The ssh-add command will add all identified in the ~/.ssh folder by default. To add a specific identity, use the -T parameter.
- Verify the identities were add by running
- Reconnect to the remote computer with SSH and use the -A parameter to set Agent Forwarding on.
- On the remote computer, verify Github is now accessible.
Additional SSH Tip
You may have noticed in the demonstration above, the ssh command does not include an IP address or user name.
ssh pi3b vs. ssh firstname.lastname@example.org. This is accomplished by using an SSH config file in ./ssh/config:
Host pi3b HostName 192.168.1.10 User pi
SSH Config can also automatically set Agent forwarding for an SSH connection, removing the needs to pass -A with the SSH command.
Host pi3b HostName 192.168.1.10 User pi ForwardAgent yes
You can learn more about SSH Config in my post Easier SSH with Config.