
SSH Agent Forwarding allows you to use your private, local SSH key remotely without worrying about leaving confidential data on the server you are working with. It is built into ssh
and is easy to set up and use.
What is an SSH agent?
Your SSH public key is similar to your username or identity and you can share it with anyone. Your personal SSH key is like a password and is stored locally on your computer. But this is like storing your passwords on a note ̵
However, this means that you & # 39; I have to enter your passphrase every time you need to use your private key which gets annoying. To manage this, most SSH implementations will use a agent which will keep your decrypted key in memory. This means you only need to unlock it once and it will last until you reboot, so you can securely log into your servers without a passphrase.
What is SSH Agent Forwarding?
SSH agent forwarding is like going deeper. For example, imagine you are connecting to a remote server and you want git pull
a code that you store on Github. You want to use SSH authentication for Github, but you don't want your private keys on that remote server, just your computer.
To fix this problem, you can open your local SSH agent to the remote server so that it can behave while you are connected. This will not send your private keys over the Internet, even if they are encrypted; it just allows a remote server to access your local SSH agent and verify your identity.
It works like this: you ask your remote server to get code from Github, and Github says "who are you?" to the server. Usually the server consults its own id_rsa
files to answer, but instead forwards the question to your local computer. Your local machine answers the question and sends the answer (which does not contain your private key) to the server, which sends it back to Github. Github doesn't care that your local computer answered the question, it just looks like it answered and lets you connect.
Enable SSH Agent Forwarding
On Mac and Linux, SSH agent forwarding is built into ssh
and the process ssh agent
starts automatically. All you have to do is make sure your keys are added to ssh agent
and configure ssh
for forwarding.
Add keys to ssh agent
You can use the utility ssh-add
to add keys to your local agent. Assuming your private key is stored in id_rsa
you can run the following:
ssh-add ~ / .ssh / id_rsa
You can also paste the key manually instead of id_rsa
. Check if the key is added correctly with:
ssh-add -L
If so, it should spit out your key.
Add keys on macOS
On macOS you should run instead:
ssh-add -K ~ / .ssh / id_rsa
The flag -K
saves the key in the macOS keychain, which is necessary to remember your keys by restarting. [19659013] Allow forwarding in your customer's configuration
Open your ~ / .ssh / config
file on your local machine or create a new file if it is empty. We are setting up a new rule to ensure that agent forwarding is enabled for this server's domain:
Example host ForwardAgent yes
You must replace example
with the domain name or IP address of your server. You can use the wildcard *
for the host, but then you forward access to your private keys to every server you connect to, which is probably not what you want.
Depending on your operating system, you may also have configuration files on / etc / ssh / ssh_config
for macOS or / etc / ssh_config
for Ubuntu. These files can overwrite the user configuration file at ~ / .ssh / config
so make sure nothing conflicts. Lines beginning with #
are omitted and have no effect.
You can also manually enable agent forwarding for any domain using ssh -A user @ host
which bypasses all configuration files. If you want an easy forwarding method without touching any configuration, you can add alias ssh = "ssh -A"
to your bash settings, but this is the same as using a wildcard host, so we don't recommend it for anything security related.
Testing SSH forwarding
If you don't have two servers, the easiest way to test if SSH forwarding works is to add your public key from your local machine to your Github profile and try SSH from a remote server:
ssh git@github.com
If it worked, you should see your username, and you should be able to push and retrieve code from a repository without ever having private keys on the server.
Set up SSH forwarding for Windows clients
Since Windows is not a Unix operating system, installation depends on exactly how you work ssh
First of all.
If you use the Linux subsystem for Windows, which allows you to run bash on Windows, the setup will be the same as on Linux or macOS, since it fully virtualizes a Linux distro to run the command line.
If you use Git Bash, the setup is the same as on Linux, but you & # 39; ll will need to start ssh agent
manually when you start the shell, which you can do with a startup script in .bashrc
.
If you use PuTTY, setup is quite easy. From the configuration, go to Connection> SSH> Auth and enable "Allow Agent Forwarding".
You can also add your private key file from the same panel. PuTTY will handle the SSH agent for you, so you don't have to fiddle with configuration files.
What to do if SSH forwarding does not work
Make sure you have SSH keys at all; if you don't, you can run ssh-keygen
which puts your private key in ~ / .ssh / id_rsa
and your public key in ~ / .ssh / id_rsa.pub "19459010unette. {19659006" Verify that your SSH keys are working correctly with normal authentication and add them to
ssh agent
. You can add keys with ssh-add
.
The ssh agent
process must also be running. On macOS and Linux it should start automatically, but you can check if it works with:
echo "$ SSH_AUTH_SOCK"
If set correctly, you will see a Listeners
socket returned.
Check if your configuration files are set correctly to contain ForwardAgent yes
and make sure no other configuration files override this behavior. To check which configuration files SSH uses, you can run ssh
in extended mode:
ssh -v git@github.com
Which should show which configuration files are used. Files that appear later in this list take precedence over previous files.
And of course command line options take precedence over configuration files. If agent forwarding does not work with ssh -A
and your keys are properly configured in your agent, then something else is wrong and you should check your connection to the servers in the chain.
Source link