Ssh – How to enable key forwarding with ssh-agent

forwardingpublic-keysshssh-agent

I've used the ssh-agent from oh-my-zsh to manage my SSH key. So far, so good, i only have to type the passphrase for my private key once when I start my shell and public key authentication works great.

The problem is however that key forwarding doesn't work. There are 2 servers A & B which I can use public key to login. When I ssh into A then from there ssh into B, I must provide my password, which should not be the case.

A is a CentOS 5.6 box, B is an Ubuntu 11.04 box. I have this on my local .ssh/config:

Host *
    ForwardAgent yes

OpenSSH on A is standard openssh 4.3 package provided by CentOS. I also enable ForwardAgent for ssh client on A, but forwarding still doesn't work.

Best Answer

Make sure AllowAgentForwarding is set to yes on the servers (sshd_config).

My guess is you are missing that.

Also forwarding is only on openssh 5.1+ So make sure you are running a valid version

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Ssh – What part of SSH forwarding sets up SSH_AUTH_SOCK

On my Mac with OS 10.6.x I found that agent forwarding didn't work until I added my key to the Apple keychain, with the following:

ssh-add -K ~/.ssh/id_rsa

where ~/.ssh/id_rsa contains my private ssh key

I've a blog entry about setting up ssh host configuration entries to simplify ssh command-lines that may be of interest

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Ssh – What part of SSH forwarding sets up SSH_AUTH_SOCK

Related Topic