Agent Forwarding

When logging into different hosts and over several hops generating key pairs and distributing public keys becomes a hassle with each additional host. At the same time security (i.e. key integrity and authentication) becomes a problem because breaking into one of your hosts might possibly compromise your private key and allow the attacker to login to one or more of the hosts you’re using.

The method described herein allows a single entity to host and maintain all private keys to open connections to individual hosts as well as a chain of hosts:

  1. Move all private keys to a single host and place them into a single ssh agent (see SSH agent for details). It is not necessary to immediately insert all private keys into the SSH agent but rather those which you need. You should also consider limiting the lifetime of each and every key to have the agent remove unused keys.

  2. To allow host to access the private key stored on a single host you need to enable agent forwarding on all intermediate hosts:

Public key authentication will now consult the ssh agent through the SSH tunnel over one or more hops.

NOTE: The SSH agent will not ever send one of the keys to a client but rather perform necessary operations on their behalf.

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.