SSH ForwardAgent multiple hops

linux ssh ssh-keys ssh-agent

To have agent forwarding work through multiple hops you simply to need adjust your client configuration on each intermediate system so that agent forwarding.

It could be as simply as making sure your /etc/ssh/ssh_config has this configured. But if you have per-client configs in ~/.ssh/config you may need to adjust those settings as well.

Host *
    ForwardAgent yes

You can see if agent forwarding happened or if there was an errorif you just add the -v option.

$ ssh -v issc@server1
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/zoredache/.ssh/config
...
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
Linux server1 3.11-0.bpo.2-amd64 #1 SMP Debian 3.11.8-1~bpo70+1 (2013-11-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 15 20:39:44 2013 from 10.2.4.243
issc@server1:~$

Also verify you have a valid environment variable set.

issc@server1:~$ export | grep SSH_AUTH
declare -x SSH_AUTH_SOCK="/tmp/ssh-7VejOmKtNv/agent.57943"

bstar

Updated on September 18, 2022

Comments

bstar almost 2 years
Somewhat new to coding, trying to get LEDS to light up using an array. All ready my first 2 lines of code are not working. When compiling it says the integer expression must be constant? Can anyone explain why and how I can fix it?
```
const int size = 8;

int led[size] = {BIT0, BIT1, BIT2, BIT3, BIT4, BIT5, BIT6, BIT7};
```
- gertvdijk over 10 years
  
  Consider using ProxyCommand hopping (as explained here) instead of forwarding the SSH agent. For your approach you'll have to trust all machines in the chain because they can (ab)use your private keys. I also like the ProxyCommand approach a lot better because of the known hosts check is done locally, and moreover, you can set up the chain in your SSH config so you can use a single to command to connect to C.
- liquidity over 10 years
  
  I unfortunately can't use a proxyCommand. Despite the security considerations, I really need to use forwardAgent.
- grep almost 6 years
  
  @liquidity can I ask you why don't you want to use proxyCommand? I have the same problem and as I understand proxyCommand is more secure. So I'm thinking which one to use..
dmourati over 10 years

Worth mentioning the -A flag to ssh as a quick and dirty alternative to the ssh_config or ~.ssh/config option. -A [e]nables forwarding of the authentication agent connection.
Steve Townsend over 10 years

At each step, you can use ssh-add -l to list the keys that ssh thinks it can get at via your agent. Make sure you're forwarding it on each connection!
2upmedia over 4 years

Thanks! Also note that if everything's done correctly you won't have to manually start the ssh-agent on the last server. It will start automatically if you see the line Requesting authentication agent forwarding. in your debug output. If you tried via .bash_profile to start ssh-agent, remove it from there or else your agent will start again without any identities.