{"id":261393,"date":"2021-05-28T14:00:00","date_gmt":"2021-05-28T11:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/"},"modified":"2021-05-28T14:00:00","modified_gmt":"2021-05-28T11:00:00","slug":"what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/","title":{"rendered":"#What is SSH Agent Forwarding and How Do You Use It? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2f7c5870967\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2f7c5870967\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#What_Is_an_SSH_Agent\" >What Is an SSH Agent?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#What_is_SSH_Agent_Forwarding\" >What is SSH Agent Forwarding?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#How_to_Enable_SSH_Agent_Forwarding\" >How to Enable SSH Agent Forwarding<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#Add_Keys_to_ssh-agent\" >Add Keys to ssh-agent<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#Add_Keys_on_macOS\" >Add Keys on macOS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#Allow_Forwarding_in_Your_Clients_Config\" >Allow Forwarding in Your Client\u2019s Config<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#Test_SSH_Forwarding\" >Test SSH Forwarding<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#Setup_SSH_Forwarding_for_Windows_Clients\" >Setup SSH Forwarding for Windows Clients<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-ssh-agent-forwarding-and-how-do-you-use-it-cloudsavvy-it\/#What_to_Do_if_SSH_Forwarding_Isnt_Working\" >What to Do if SSH Forwarding Isn\u2019t Working<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What is SSH Agent Forwarding and How Do You Use It? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-57 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/04\/7e447f1a.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"SSH agent forwarding\" width=\"700\" height=\"300\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/ssh-secure-shell-protocol-software-data-1171819519\">Funtap \/ Shutterstock<\/a><\/span><\/figcaption><\/figure>\n<p>SSH agent forwarding allows you to use your private, local SSH key remotely without worrying about leaving confidential data on the server you\u2019re working with. It\u2019s built into <code>ssh<\/code>, and is easy to set up and use.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_Is_an_SSH_Agent\"><\/span>What Is an SSH Agent?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Your public SSH key is like your username or identity, and you can share it with everybody. Your private SSH key is like a password, and is saved locally on your computer. But, this is like storing your passwords on a sticky note\u2014anyone can view them if they have access to it. So, for security, SSH will ask you for a passphrase when you generate your keys (hopefully you didn\u2019t skip that step) and it will use that passphrase to encrypt and decrypt your private key.<\/p>\n<p>However, this means you\u2019ll have to enter your passphrase every time you need to use your private key, which will get annoying. To manage this, most SSH implementations will use an\u00a0<em>agent<\/em>, which keeps your decrypted key in memory. This means you\u2019ll only need to unlock it once, and it will persist until you restart, letting you log into your servers securely without a passphrase prompt. You\u2019ll want to make sure your SSH server is locked down, of course.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_is_SSH_Agent_Forwarding\"><\/span>What is SSH Agent Forwarding?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>SSH agent\u00a0<em>forwarding<\/em> is like going another layer deeper. For example, imagine you\u2019re connecting to a remote server, and you want to <code>git pull<\/code> some code that you\u2019re storing on Github. You want to use SSH authentication for Github, but you don\u2019t want your private keys on that remote server, only on your machine.<\/p>\n<p>To solve this problem, you can open your local SSH agent to the remote server, allowing it to act as you while you\u2019re connected. This doesn\u2019t send your private keys over the internet, not even while they\u2019re encrypted; it just lets a remote server access your local SSH agent and verify your identity.<\/p>\n<p>It works like this: you ask your remote server to pull some code from Github, and Github says \u201cwho are you?\u201d to the server. Usually the server would consult its own <code>id_rsa<\/code> files to answer, but instead it will forward the question to your local machine. Your local machine answers the question and sends the response (which does not include your private key) to the server, which forwards it back to Github. Github doesn\u2019t care that your local machine answered the question, it just sees that it\u2019s been answered, and lets you connect.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How to Lock Down Your SSH Server<\/em><\/strong><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_to_Enable_SSH_Agent_Forwarding\"><\/span>How to Enable SSH Agent Forwarding<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>On Mac and Linux, SSH agent forwarding is built into <code>ssh<\/code>, and the <code>ssh-agent<\/code>\u00a0process is launched automatically. All you\u2019ll have to do is make sure your keys are added to <code>ssh-agent<\/code>\u00a0and configure <code>ssh<\/code>\u00a0to use forwarding.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Add_Keys_to_ssh-agent\"><\/span>Add Keys to ssh-agent<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>You can use the utility <code>ssh-add<\/code>\u00a0to add keys to your local agent. Assuming your private key is stored in <code>id_rsa<\/code>, you can run:<\/p>\n<pre>ssh-add ~\/.ssh\/id_rsa<\/pre>\n<p>You can also manually paste in the key rather than using <code>id_rsa<\/code>. Check that the key is added properly with:<\/p>\n<pre class=\"command-line\">ssh-add -L<\/pre>\n<p>If it is, it should spit out your key.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Add_Keys_on_macOS\"><\/span>Add Keys on macOS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>On macOS, you will instead need to run:<\/p>\n<pre>ssh-add -K ~\/.ssh\/id_rsa<\/pre>\n<p>The <code>-K<\/code>\u00a0flag will store the key in the macOS Keychain, which is necessary for it to remember your keys through reboots.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Allow_Forwarding_in_Your_Clients_Config\"><\/span>Allow Forwarding in Your Client\u2019s Config<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Open up your <code>~\/.ssh\/config<\/code>\u00a0file on your local machine, or make a new one if it\u2019s empty.\u00a0We\u2019ll set a new rule to make sure agent forwarding is enabled for this server\u2019s domain:<\/p>\n<pre>Host example&#13;\n  ForwardAgent yes<\/pre>\n<p>You should replace <code>example<\/code> with your servers domain name or IP address. You can use the wildcard <code>*<\/code>\u00a0for the host, but then you\u2019ll be forwarding access to your private keys to every server you connect to, which is probably not what you want.<\/p>\n<p>Depending on your operating system, you may also have SSH config files at <code>\/etc\/ssh\/ssh_config<\/code>\u00a0for macOS or <code>\/etc\/ssh_config<\/code>\u00a0for Ubuntu. These files may override the user config file at <code>~\/.ssh\/config<\/code>, so make sure nothing is conflicting. Lines that start with <code>#<\/code>\u00a0are commented out, and have no effect.<\/p>\n<p>You can also manually enable agent forwarding for any domain by using <code>ssh -A user@host<\/code>, which will bypass all config files. If you want an easy method for forwarding without touching config, you can add\u00a0<code>alias ssh=\"ssh -A\"<\/code>\u00a0to your bash settings, but this is the same as using a wildcard host, so we don\u2019t recommend it for anything security-focused.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Test_SSH_Forwarding\"><\/span>Test SSH Forwarding<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>If you don\u2019t have two servers on hand, the easiest way to test if SSH forwarding is working is to add your public key from your local machine to your <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/settings\/keys\">Github profile<\/a>\u00a0and try to SSH from a remote server:<\/p>\n<pre>ssh <span class=\"command\">git@github.com<\/span><\/pre>\n<p>If it worked, you should see your username, and you should be able to push and pull code from a repo without ever putting private keys on the server.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Setup_SSH_Forwarding_for_Windows_Clients\"><\/span>Setup SSH Forwarding for Windows Clients<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Since Windows isn\u2019t a Unix operating system, setup will vary depending on how exactly you\u2019re running <code>ssh<\/code>\u00a0in the first place.<\/p>\n<p>If you\u2019re using the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/wsl\/install-win10\">Linux Subsystem for Windows<\/a>, which lets you run bash on Windows, the setup will be the same as on Linux or macOS, since it\u2019s fully virtualizing a Linux distro to run the command line.<\/p>\n<p>If you\u2019re using Git Bash, the setup is the same as on Linux, but you\u2019ll need to manually start <code>ssh-agent<\/code>\u00a0when you launch the shell, which you can do with <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/stackoverflow.com\/a\/45562886\">a startup script in <code>.bashrc<\/code><\/a>.<\/p>\n<p>If you\u2019re using PuTTY, setup is quite simple. From the configuration, go to Connection &gt; SSH &gt; Auth and enable \u201cAllow agent forwarding.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-48\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/04\/b1716fe3-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"700\" height=\"400\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You can also add your private key file from the same pane. PuTTY will handle the SSH agent for you, so you don\u2019t have to mess around with any config files.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How to Manage an SSH Config File in Windows and Linux<\/em><\/strong><\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_to_Do_if_SSH_Forwarding_Isnt_Working\"><\/span>What to Do if SSH Forwarding Isn\u2019t Working<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Make sure you actually have SSH keys in the first place; if you don\u2019t, you can run <code>ssh-keygen<\/code>, which will place your private key in <code>~\/.ssh\/id_rsa<\/code>\u00a0and your public key in <code>~\/.ssh\/id_rsa.pub<\/code>.<\/p>\n<p>Verify that your SSH keys are working properly with regular auth, and add them to <code>ssh-agent<\/code>. You can add keys with <code>ssh-add<\/code>.<\/p>\n<p>The <code>ssh-agent<\/code>\u00a0process also needs to be running. On macOS and Linux, it should start automatically, but you can verify that it is running with:<\/p>\n<pre class=\"command-line\"><span class=\"command\">echo \"$SSH_AUTH_SOCK\"<\/span>&#13;\n<\/pre>\n<p>If it\u2019s correctly set up, you should see a <code>Listeners<\/code>\u00a0socket returned.<\/p>\n<p>Make sure your config files are set up properly to include <code>ForwardAgent yes<\/code>, and make sure no other config files are overwriting this behaviour. To check which config files SSH is using, you can run <code>ssh<\/code> in verbose mode:<\/p>\n<pre>ssh -v git@github.com<\/pre>\n<p>Which should display which config files are being used. Files displayed later in this list take precedence over earlier files.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-54\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/04\/7c97c26f.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"700\" height=\"200\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>And of course, command line options override config files. If agent forwarding isn\u2019t working with <code>ssh -A<\/code>, and your keys are properly configured in your agent, then something else is wrong, and you\u2019ll need to check your connection to the servers in the chain.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/25\/what-is-ssh-agent-forwarding-and-how-do-you-use-it\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What is SSH Agent Forwarding and How Do You Use It? \u2013 CloudSavvy IT&#8221; Funtap \/ Shutterstock SSH agent forwarding allows you to use your private, local SSH key remotely without worrying about leaving confidential data on the server you\u2019re working with. It\u2019s built into ssh, and is easy to set up and use. What&#8230;<\/p>\n","protected":false},"author":1,"featured_media":261394,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/04\/7e447f1a.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-261393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/261393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=261393"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/261393\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/261394"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=261393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=261393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=261393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}