BrandonChecketts.com feedSSH Agent Forwarding – An Underutilized Essential Tool
SSH Agent Forwarding is a magical feature of SSH that I see too many people don’t understand or know how it works.
Using an SSH Key for authentication is superior to a password for many reasons. But it gets more complicated when you SSH from one machine, and then want to SSH from that machine to another, including for something like cloning a GitHub repository. I very frequently have this situation where I SSH from my machine to a remote server, then want to perform a git pull on that remote machine.
If attempting to do this without agent forwarding, you would have to copy your private key to the remote machine. Then from that machine, you can authenticate to GitHub since your keys are in place there. That’s cumbersome and not a great idea to put your private key on a machine that could be exploited. You should always keep your private key private!
Agent Forwarding allows you to bypass putting your private key on the intermediate machine. It essentially opens a tunnel between the remote machine and your local machine, so that authentications requests can talk to an SSH agent running on your local machine to perform the cryptographic authentication.
You create an SSH key as you normally would using the ssh-keygen command. Your private key is stored in ~/.ssh/id_ed25519 by default. You then turn on your SSH Agent using the ssh-add command like:
ssh-add ~/.ssh/id_ed25519That will prompt for your passphrase if you have one. If successful, the agent stays in memory and keeps your private key unencrypted in memory. You can run ssh-add -l command (-l for “list”) to see the keys that it has loaded:
14:15 $ ssh-add -l 256 SHA256:3W+i4HXlwABCdefgHIJKLMNPQRSTtRjynjRcmbgO2Jk brandon+2023@mymachine (ED25519) 256 SHA256:abcDEFghiJKLmnoPQRstuVWX/cPz2mYZZZe+xU78Ins brandon+2025@mymachine (ED25519)Then when you want to connect to a remote machine and forward your SSH-Agent, you use the -A command-line argument
ssh brandon@remote-machine -AYou can confirm that this is working on the remote machine with ssh-add -l again. If working properly, it will list the same SSH keys as when you ran it locally. When working, you can there ssh to other machines or use SSH to authenticate to GitHub to check out packages. You can even forward from a remote machine to another machine beyond it, tunneling the agent through multiple intermediaries
One WarningDon’t use agent forwarding to remote machines that you don’t control or that may be compromised. Someone who can log in as you, or root, on a remote machine could potentially use your forwarded agent to authenticate as you to other machines
The post SSH Agent Forwarding – An Underutilized Essential Tool appeared first on Brandon Checketts.