Agent Forwarding
Published on 17 Feb 2005Tags #SSH
When logging into different hosts and over several hops generating key pairs and distributing public keys becomes a hassle with each additional host. At the same time security (i.e. key integrity and authentication) becomes a problem because breaking into one of your hosts might possibly compromise your private key and allow the attacker to login to one or more of the hosts you’re using.
The method described herein allows a single entity to host and maintain all private keys to open connections to individual hosts as well as a chain of hosts:
-
Move all private keys to a single host and place them into a single ssh agent (see SSH agent for details). It is not necessary to immediately insert all private keys into the SSH agent but rather those which you need. You should also consider limiting the lifetime of each and every key to have the agent remove unused keys.
-
To allow host to access the private key stored on a single host you need to enable agent forwarding on all intermediate hosts:
-
Either by manually activating agent forwarding on the command line:
ssh -A HOST -
Or by permanently adding the following directive to your
~/.ssh/config(also refer to client configuration):ForwardAgent yes -
Although you will still have to distribute public keys to all hosts that you intend to login to (see public key authentication for details) the management of your private keys becomes easier.
Public key authentication will now consult the ssh agent through the SSH tunnel over one or more hops.
NOTE: The SSH agent will not ever send one of the keys to a client but rather perform necessary operations on their behalf.