SSH Agent Forwarding allows you to use your private, local SSH key remotely without worrying about leaving confidential data on the server you are working with. It is built into ssh and is easy to set up and use.
What is an SSH agent?
Your SSH public key is similar to your username or identity and you can share it with anyone. Your personal SSH key is like a password and is stored locally on your computer. But this is like storing your passwords on a note ̵
However, this means that you & # 39; I have to enter your passphrase every time you need to use your private key which gets annoying. To manage this, most SSH implementations will use a agent which will keep your decrypted key in memory. This means you only need to unlock it once and it will last until you reboot, so you can securely log into your servers without a passphrase.
What is SSH Agent Forwarding?
SSH agent forwarding is like going deeper. For example, imagine you are connecting to a remote server and you want git pull a code that you store on Github. You want to use SSH authentication for Github, but you don't want your private keys on that remote server, just your computer.
To fix this problem, you can open your local SSH agent to the remote server so that it can behave while you are connected. This will not send your private keys over the Internet, even if they are encrypted; it just allows a remote server to access your local SSH agent and verify your identity.
It works like this: you ask your remote server to get code from Github, and Github says "who are you?" to the server. Usually the server consults its own id_rsa files to answer, but instead forwards the question to your local computer. Your local machine answers the question and sends the answer (which does not contain your private key) to the server, which sends it back to Github. Github doesn't care that your local computer answered the question, it just looks like it answered and lets you connect.
Enable SSH Agent Forwarding
On Mac and Linux, SSH agent forwarding is built into ssh and the process ssh agent starts automatically. All you have to do is make sure your keys are added to ssh agent and configure ssh for forwarding.
Add keys to ssh agent
You can use the utility ssh-add to add keys to your local agent. Assuming your private key is stored in id_rsa you can run the following:
ssh-add ~ / .ssh / id_rsa
You can also paste the key manually instead of id_rsa . Check if the key is added correctly with:
ssh-add -L
If so, it should spit out your key.
Add keys on macOS
On macOS you should run instead:
ssh-add -K ~ / .ssh / id_rsa
The flag -K saves the key in the macOS keychain, which is necessary to remember your keys by restarting. [19659013] Allow forwarding in your customer's configuration
Open your ~ / .ssh / config file on your local machine or create a new file if it is empty. We are setting up a new rule to ensure that agent forwarding is enabled for this server's domain:
Example host ForwardAgent yes
You must replace example with the domain name or IP address of your server. You can use the wildcard * for the host, but then you forward access to your private keys to every server you connect to, which is probably not what you want.
Depending on your operating system, you may also have configuration files on / etc / ssh / ssh_config for macOS or / etc / ssh_config for Ubuntu. These files can overwrite the user configuration file at ~ / .ssh / config so make sure nothing conflicts. Lines beginning with # are omitted and have no effect.
You can also manually enable agent forwarding for any domain using ssh -A user @ host which bypasses all configuration files. If you want an easy forwarding method without touching any configuration, you can add alias ssh = "ssh -A" to your bash settings, but this is the same as using a wildcard host, so we don't recommend it for anything security related.
Testing SSH forwarding
If you don't have two servers, the easiest way to test if SSH forwarding works is to add your public key from your local machine to your Github profile and try SSH from a remote server:
ssh git@github.com
If it worked, you should see your username, and you should be able to push and retrieve code from a repository without ever having private keys on the server.
Set up SSH forwarding for Windows clients
Since Windows is not a Unix operating system, installation depends on exactly how you work ssh First of all.
If you use the Linux subsystem for Windows, which allows you to run bash on Windows, the setup will be the same as on Linux or macOS, since it fully virtualizes a Linux distro to run the command line.
If you use Git Bash, the setup is the same as on Linux, but you & # 39; ll will need to start ssh agent manually when you start the shell, which you can do with a startup script in .bashrc .
If you use PuTTY, setup is quite easy. From the configuration, go to Connection> SSH> Auth and enable "Allow Agent Forwarding".
You can also add your private key file from the same panel. PuTTY will handle the SSH agent for you, so you don't have to fiddle with configuration files.
What to do if SSH forwarding does not work
Make sure you have SSH keys at all; if you don't, you can run ssh-keygen which puts your private key in ~ / .ssh / id_rsa and your public key in ~ / .ssh / id_rsa.pub "19459010unette. {19659006" Verify that your SSH keys are working correctly with normal authentication and add them to ssh agent . You can add keys with ssh-add .
The ssh agent process must also be running. On macOS and Linux it should start automatically, but you can check if it works with:
echo "$ SSH_AUTH_SOCK"
If set correctly, you will see a Listeners socket returned.
Check if your configuration files are set correctly to contain ForwardAgent yes and make sure no other configuration files override this behavior. To check which configuration files SSH uses, you can run ssh in extended mode:
ssh -v git@github.com
Which should show which configuration files are used. Files that appear later in this list take precedence over previous files.
And of course command line options take precedence over configuration files. If agent forwarding does not work with ssh -A and your keys are properly configured in your agent, then something else is wrong and you should check your connection to the servers in the chain.
Source link
