Agent Forwarding
SSH Agent Forwarding allows private keys stored on a local machine to be used when connecting to multiple remote servers. This feature is particularly useful in environments where access to internal systems requires connecting through an intermediate server, such as a bastion or jump server. Rather than copying private keys to each remote server, agent forwarding enables the private key to remain securely on the local machine, while still allowing authentication on remote systems.
Benefits of Agent Forwarding
Simplified multi-hop connections
Agent forwarding streamlines the process of connecting through a jump server to access internal systems. Without it, keys would need to be copied to each remote server or passphrases entered multiple times. Agent forwarding ensures the local key can authenticate on remote systems without transferring it between servers.
Improved security
By keeping the private key on the local machine and only forwarding the authentication process, agent forwarding reduces the risk of exposing private keys to intermediate servers. Authentication is handled by the local agent, providing a secure and efficient method to manage SSH keys across multiple servers.
Enabling Agent Forwarding
Using the -A
option
To enable agent forwarding for a session, the -A
option can be used when establishing the SSH connection. For example:
ssh -A user@remote-server
This forwards the local SSH agent to the remote server, allowing the remote server to use the local machine's SSH keys for any further SSH connections.
Configuring persistent forwarding
Agent forwarding can be configured to persistently enable for specific servers by modifying the SSH configuration file (~/.ssh/config
). Adding the following configuration ensures that agent forwarding is automatically enabled for the specified server without requiring the -A
option:
Host remote-server
ForwardAgent yes
Security Implications
Risk of remote server compromise
While agent forwarding improves security by keeping private keys on the local machine, it does introduce some risks. If a remote server is compromised, an attacker could potentially use the forwarded agent to authenticate with other systems. Although the private key remains secure, the forwarded agent effectively grants access to other systems where the SSH key is trusted.
Use on trusted systems only
To mitigate this risk, agent forwarding should only be used on trusted systems. When connecting to untrusted or unknown remote servers, it is advisable to disable agent forwarding by setting ForwardAgent no
in the SSH configuration file for those specific hosts.
Alternative methods for multi-hop connections
In cases where agent forwarding poses too great a security risk, other SSH techniques like ProxyJump or ProxyCommand can be used to securely manage multi-hop connections without exposing the SSH agent to remote servers. These methods allow for secure access to internal systems while maintaining strict control over key exposure. For more details, refer to the SSH Tips and Tricks section.