Psychz - Swarup
Votes: 0Posted On: Feb 23, 2018 04:39:59
Hi!
SSH agent forwarding is a way of communicating with SSH agents on remote machines. To understand SSH agent forwarding, we should first have a brief understanding of SSH keys and SSH agent.
SSH Agent
SSH Agent is a program that stores the private keys of the SSH client and responds at the time of SSH authentication. As we know that SSH keys are a pair of a public and private key. The public key is stored on the remote host and private key on the local host. When you try to connect to a remote host, the remote host tries to authenticate you and a passphrase is required every time.
SSH Agent is simply a tool that prevents you from the hassle of typing in a passphrase each time you try to connect to a remote server. It does so by caching in the private keys and handling the authentication part of SSH for SSH client. You can start the SSH agent everytime you want to connect to a remote host or can also configure it to run automatically. You should run SSH agent in your current login session before you run the SSH client.
You can run either of the commands to start SSH agent.
1. ssh-agent $SHELL
Here "$SHELL" is the name of the login shell of your current login session. You can enter the names of environment variables such as bash, ksh, csh among others in accordance with your login shell.
2. You can also use the following command.
eval ssh-agent
Adding Keys to SSH Agent
Once you have started the SSH agent, the next step is to add the private key to the SSH agent. You can do so by running the following command. The identities of the keys are cached into the SSH agent.
ssh-add
If you have multiple keys you can add arguments along with the "ssh-add" command. For example - "ssh-add1" can add th first private key. If you do not add any argument the default key is added.
Deleting keys from SSH agent
The key identities can be deleted from SSH agent by running the following command.
ssh -add
-d path_of_the key
(If you want to delete all the identities use the "-D" argument.)
Agent Forwarding
Since we now have a basic understanding of SSH agent, let us move on to SSH agent forwarding. As we know that SSH client interacts with SSH agent for authentication purposes on the local machine. However, under some conditions, SSH client can also interact with SSH agent on the remote machine. Let us explain it with an example.
1. Suppose we are sitting at a computer L and want to SSH a remote server R, the SSH agent installed on L will authenticate the connection with the private key stored in L.
2. Now let us suppose we want to copy a file from R to another server P sitting at location L. When we try to do that, the SSH agent at L successfully carries out its function and establishes a connection from L to R, but the connection from R to P is not established as the R does not have the private key of L. This situation can be easily dealt with by SSH agent forwarding.
Enabling Agent Forwarding
When Agent forwarding is enabled, the remote server R acts an SSH agent. The local machine L sends a request to the remote server for turning ON agent forwarding. When the request is accepted, the remote machine R acts as an SSH agent. When R wants to set up a connection with P, P interprets R as an SSH agent and establishes a connection. There are some options for turning the agent forwarding ON.
1. The SSH configuration file is stored in "~/.shh/config". Change the parameter "ForwardAgent" contained in the configuration file to "yes".
2. You can use the command line to enable agent forwarding.
ssh -o "ForwardAgent yes"
Security concerns regarding agent forwarding
Agent forwarding is a very common process for many server related activities like server deployment. During the agent forwarding, the private key of the local machine does not appear on the remote server. A user accessing the remote server cannot obtain the private key of the local machine.
However, agent forwarding is not recommended as it comes with a slight security risk. All the information regarding the keys are forwarded to the remote host and any user with right privileges can use the authentication information to access the connection. Hence, it is not advised to implement agent forwarding until you trust the remote server completely.