====== Ubuntu - SSH - Agent forwarding ======

SSH agent forwarding allows you to use your local SSH keys on a remote server without physically copying them to the server.

  * It works by forwarding requests from the SSH client on the server back to your local machine’s SSH agent.

SSH agent forwarding is built into ssh, and the ssh-agent process is launched automatically.

  * Just make sure the keys are added to ssh-agent and configure ssh to use forwarding.


----

===== Manually enable SSH agent forwarding =====

To enable SSH agent forwarding, use the **-A** option with the **ssh** command when connecting to your remote server.

<code bash>
ssh -A user@host
</code>

<WRAP info>
**NOTE:**  This will bypass all config files.

  * Agent forwarding can be configure permanently in the **~/.ssh/config** file by adding **ForwardAgent yes** under the host entry.
</WRAP>

----

===== Add Keys to ssh-agent =====

Use the utility **ssh-add** to add keys to the local agent.

Assuming the private key is stored in **id_rsa**, run:

<code bash>
ssh-add ~/.ssh/id_rsa
</code>

<WRAP info>
**NOTE:**  The key can also be manually pasted in rather than using id_rsa.
</WRAP>

----

===== Check that the key is added properly =====

<code bash>
ssh-add -L
</code>

<WRAP info>
**NOTE:**  If it is, it should display the key.
</WRAP>

----

===== Allow Forwarding in the Clients Config =====

Edit the **~/.ssh/config** file on the local machine, or make a new one if it is empty.

Set a new rule to make sure agent forwarding is enabled for the domain of this server.

<file bash ~/.ssh/config>
Host <example>
ForwardAgent yes
</file>

<WRAP info>
**NOTE:** Replace **<example>** with the servers domain name or IP address.

  * The wildcard ***** can be used for the host, but then this will be forwarding access of the private keys to every server being connected to, which is probably not what you want.

</WRAP>

<WRAP important>
**WARNING:**  There may also be a SSH config files at **/etc/ssh_config**, which may override the user config file at **~/.ssh/config**, so make sure nothing is conflicting.
</WRAP>

----

===== Troubleshooting =====

If SSH Forwarding is not working, 

  * Make sure you actually have SSH keys in the first place; if you do not, run **ssh-keygen**, which will place the private key in **~/.ssh/id_rsa** and the public key in **~/.ssh/id_rsa.pub**.
  * Verify that the SSH keys are working properly with regular auth, and add them to ssh-agent. Keys can be added with **ssh-add**.
  * The ssh-agent process also needs to be running. It should start automatically, but verify that it is running with: <code bash>
echo "$SSH_AUTH_SOCK"
</code>

  * If it is correctly set up, this should display a Listeners socket returned.
  * Make sure the config files are set up properly to include **ForwardAgent yes**, and make sure no other config files are overwriting this behaviour.
  * To check which config files SSH is using, run ssh in verbose mode, Which should display which config files are being used. Files displayed later in this list take precedence over earlier files: <code bash>
ssh -v user@host</code>


----

TAGS

  * TAG:  Networking
  * TAG:  Security
  * TAG:  SSH

----