SSH Agent Forwarding – An Underutilized Essential Tool
SSH Agent Forwarding is a magical feature of SSH that I see too many people don’t understand or know how it works.
Using an SSH Key for authentication is superior to a password for many reasons. But it gets more complicated when you SSH from one machine, and then want to SSH from that machine to another, including for something like cloning a GitHub repository. I very frequently have this situation where I SSH from my machine to a remote server, then want to perform a git pull on that remote machine.
If attempting to do this without agent forwarding, you would have to copy your private key to the remote machine. Then from that machine, you can authenticate to GitHub since your keys are in place there. That’s cumbersome and not a great idea to put your private key on a machine that could be exploited. You should always keep your private key private!
Agent Forwarding allows you to bypass putting your private key on the intermediate machine. It essentially opens a tunnel between the remote machine and your local machine, so that authentications requests can talk to an SSH agent running on your local machine to perform the cryptographic authentication.
You create an SSH key as you normally would using the ssh-keygen command. Your private key is stored in ~/.ssh/id_ed25519 by default. You then turn on your SSH Agent using the ssh-add command like:
ssh-add ~/.ssh/id_ed25519That will prompt for your passphrase if you have one. If successful, the agent stays in memory and keeps your private key unencrypted in memory. You can run ssh-add -l command (-l for “list”) to see the keys that it has loaded:
14:15 $ ssh-add -l 256 SHA256:3W+i4HXlwABCdefgHIJKLMNPQRSTtRjynjRcmbgO2Jk brandon+2023@mymachine (ED25519) 256 SHA256:abcDEFghiJKLmnoPQRstuVWX/cPz2mYZZZe+xU78Ins brandon+2025@mymachine (ED25519)Then when you want to connect to a remote machine and forward your SSH-Agent, you use the -A command-line argument
ssh brandon@remote-machine -AYou can confirm that this is working on the remote machine with ssh-add -l again. If working properly, it will list the same SSH keys as when you ran it locally. When working, you can there ssh to other machines or use SSH to authenticate to GitHub to check out packages. You can even forward from a remote machine to another machine beyond it, tunneling the agent through multiple intermediaries
One WarningDon’t use agent forwarding to remote machines that you don’t control or that may be compromised. Someone who can log in as you, or root, on a remote machine could potentially use your forwarded agent to authenticate as you to other machines
The post SSH Agent Forwarding – An Underutilized Essential Tool appeared first on Brandon Checketts.
HTTP Archive New Leadership
I announced the HTTP Archive six years ago. Six years ago! It has exceeded my expectations and its value continues to grow. In order to expand the vision, I’ve asked Ilya Grigorik, Rick Viscomi, and Pat Meenan to take over leadership of the project.
The HTTP Archive is part of the Internet Archive. The code and data are open source. The project is funded by our generous sponsors: Google, Mozilla, New Relic, O’Reilly Media, Etsy, dynaTrace, Instart Logic, Catchpoint Systems, Fastly, SOASTA mPulse, and Hosting Facts.
From the beginning, Pat and WebPageTest made the HTTP Archive possible. Ilya and Rick will join Pat to make the HTTP Archive even better. A few of the current items on the agenda:
- Enrich the collected data during the crawl: detect JavaScript libraries in use on the page, integrate and capture LightHouse audits, feature counters, and so on.
- Build new analysis pipelines to extract more information from the past crawls
- Provide better visualizations and ways to explore the gathered data
- Improve code health and overall operation of the full pipeline
- … and lots more – please chime in with your suggestions!
Since its inception, the HTTP Archive has become the goto source for objective, documented data about how the Web is built. Thanks to Ilya, that data was brought to BigQuery so the community can perform their own queries and follow-on research. It’s a joy to see the data and graphs from HTTP Archive used on a daily basis in tech articles, blog posts, tweets, etc.
I’m excited about this next phase for the HTTP Archive. Thank you to everyone who helped get the HTTP Archive to where it is today. (Especially Stephen Hay for our awesome logo!) Now let’s make the HTTP Archive even better!