SSH agent forwarding allows you to use your local SSH keys on a remote server without physically copying them to the server.

• It works by forwarding requests from the SSH client on the server back to your local machine’s SSH agent.

SSH agent forwarding is built into ssh, and the ssh-agent process is launched automatically.

• Just make sure the keys are added to ssh-agent and configure ssh to use forwarding.

To enable SSH agent forwarding, use the -A option with the ssh command when connecting to your remote server.

ssh -A user@host

Use the utility ssh-add to add keys to the local agent.

Assuming the private key is stored in id_rsa, run:

ssh-add ~/.ssh/id_rsa

ssh-add -L

Edit the ~/.ssh/config file on the local machine, or make a new one if it is empty.

Set a new rule to make sure agent forwarding is enabled for the domain of this server.

~/.ssh/config

Host <example>
ForwardAgent yes

If SSH Forwarding is not working,

• Make sure you actually have SSH keys in the first place; if you do not, run ssh-keygen, which will place the private key in ~/.ssh/id_rsa and the public key in ~/.ssh/id_rsa.pub.
• Verify that the SSH keys are working properly with regular auth, and add them to ssh-agent. Keys can be added with ssh-add.
• The ssh-agent process also needs to be running. It should start automatically, but verify that it is running with:

  echo "$SSH_AUTH_SOCK"

• If it is correctly set up, this should display a Listeners socket returned.
• Make sure the config files are set up properly to include ForwardAgent yes, and make sure no other config files are overwriting this behaviour.
• To check which config files SSH is using, run ssh in verbose mode, Which should display which config files are being used. Files displayed later in this list take precedence over earlier files:

  ssh -v user@host

TAGS

• TAG: Networking
• TAG: Security
• TAG: SSH