As you mentioned, the environment variables are removed by sudo
, for security reasons.
But fortunately sudo
is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep
configuration option in /etc/sudoers
.
For agent forwarding, you need to keep the SSH_AUTH_SOCK
environment variable. To do so, simply edit your /etc/sudoers
configuration file (always using visudo
) and set the env_keep
option to the appropriate users. If you want this option to be set for all users, use the Defaults
line like this:
Defaults env_keep+=SSH_AUTH_SOCK
man sudoers
for more details.
You should now be able to do something like this (provided user1
's public key is present in ~/.ssh/authorized_keys
in user1@serverA
and user2@serverB
, and serverA
's /etc/sudoers
file is setup as indicated above):
user1@mymachine> eval `ssh-agent` # starts ssh-agent
user1@mymachine> ssh-add # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2 # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB # goto user2@serverB w/o typing pwd again...
user2@serverB> # ...because forwarding still works
You can have as many keys as you desire. It's good practice to use separate private/public key sets for different realms anyway, like one set for your personal use, one for your work, etc.
First, generate two separate keypairs, one for home and one for work:
ssh-keygen -t rsa -f ~/.ssh/id_rsa.home
ssh-keygen -t rsa -f ~/.ssh/id_rsa.work
Next, add an entry to your ~/.ssh/config
file to pick the key to use based on the server you connect to:
Host home
Hostname home.example.com
IdentityFile ~/.ssh/id_rsa.home
User <your home acct>
Host work
Hostname work.example.com
IdentityFile ~/.ssh/id_rsa.work
User <your work acct>
Next, append the contents of your id_rsa.work.pub
into ~/.ssh/authorized_keys
on the work machine, and do the same for the home key on your home machine.
Then when you connect to the home server you use one of the keys, and the work server you use another.
Note you probably want to add both keys to your ssh-agent
so you don't have to type your passphrase all the time.
Best Answer
You can use the
AuthorizedKeysFile
directive in /etc/ssh/sshd_config to do this. The defaut location is.ssh/authorized_keys
but you could use something which contained an absolute path e.g.the man pages says this