Using SSH Agent Forwarding for Access Through a Bastion Host

Caution:

Enable agent forwarding with caution. Users with escalated privileges on the remote host can access the agent through the forwarded SSH session. Although malicious users can't access the keys directly they can hijack the agent session and use the keys in the agent to connect to other systems. If you're connecting to a system that might have untrustworthy users then avoid using agent forwarding.

SSH Agent Forwarding is a powerful tool that can help you keep private keys centralized and safe. Avoid copying private keys to other systems as much as possible. SSH Agent Forwarding lets you connect to a remote system and then use the SSH client on that system to connect to another system by using the same key based authentication but without you needing to copy the private key to the host that you first connected to.

Server-side Configuration

Change the /etc/ssh/sshd_config file to configure SSH Agent forwarding. On the server, verify the AllowAgentForwarding parameter, which activates SSH agent forwarding and is enabled by default.

Client Configuration

To enable this functionality you must use the ForwardAgent option when you make a connection to an intermediate system in the chain of hosts that you connect to. You must also have the private key already loaded into the SSH Agent on the primary client host. See Using the SSH Key Agent to Remember Passphrases .

To use SSH Agent Forwarding:

  1. Check that the SSH Agent is running and that the SSH key is loaded. Run the following command on the client system to see what keys the agent has loaded:
    ssh-add -L
  2. Connect to a host using the ForwardAgent=yes option:
    ssh -o ForwardAgent=yes server1.example.com
  3. Use the SSH client on the remote host to connect to another server that has the public key configured in its authorized_keys:
    ssh server2.example.com

Consider adding the ForwardAgent option to a Host configuration entry in the $HOME/.ssh/config file if you use this option often for a particular server. See Setting SSH Client Configuration Options For a Host for more information.