•  Home
  •  Dashboard
  •  Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
  •  Hosting Services
    • Infrastructure
      • iColocation
    • Compute
      • cMetal
      • cVirtual
    • Storage
      • sObject
      • sBlock
    • Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • Protection
      • pBackup
      • pDDoS
  •  Solutions
    • Ecommerce
    • Finance
    • Gaming
    • Hosting
    • Management
    • Security
    • System Integrator
  •  Support
    • Community
    • Knowledge Base
    • Open A Ticket
  •  USA & Canada: 800-933-1517
  •  International: 626-549-2801
  •  Email: sales@psychz.net
  • Services
    • new-colocation-header-img
      Infrastructure
      • iColocation
    • new-compute-header-img
      Compute
      • cMetal
      • cVirtual
    • new-storage-header-img
      Storage
      • sObject
      • sBlock
    • new-networking-header-img
      Networking
      • nCDN
      • nIP Transit
      • nWavelength
    • new-protection-header-img
      Protection
      • pBackup
      • pDDoS
  • Solutions
    • Ecommerce
    • Security
    • Gaming
    • Hosting
    • Management
    • Finance
    • System Integrator
  • Dashboard

SSH Agent Forwarding

  • Home
  • Client
  • Qa Forum
  • SSH Agent Forwarding

Posted By: Adam | 1 Replies | Last Reply On: Feb 23, 2018 04:39:59

I was told SSH agent forwarding can come in handy when deplying the server.  Can someone give some info on what is SSH agent forwarding and how to go about setting it up?  is it considered secure? 

Psychz - Swarup

Votes: 0Posted On: Feb 23, 2018 04:39:59
 

Hi!

SSH agent forwarding is a way of communicating with SSH agents on remote machines. To understand SSH agent forwarding, we should first have a brief understanding of SSH keys and SSH agent.

 

SSH Agent

SSH Agent is a program that stores the private keys of the SSH client and responds at the time of SSH authentication. As we know that SSH keys are a pair of a public and private key. The public key is stored on the remote host and private key on the local host. When you try to connect to a remote host, the remote host tries to authenticate you and a passphrase is required every time.

SSH Agent is simply a tool that prevents you from the hassle of typing in a passphrase each time you try to connect to a remote server. It does so by caching in the private keys and handling the authentication part of SSH for SSH client. You can start the SSH agent everytime you want to connect to a remote host or can also configure it to run automatically. You should run SSH agent in your current login session before you run the SSH client.

You can run either of the commands to start SSH agent.

1. ssh-agent $SHELL

Here "$SHELL" is the name of the login shell of your current login session. You can enter the names of environment variables such as bash, ksh, csh among others in accordance with your login shell. 

 

2. You can also use the following command.

eval ssh-agent

 

Adding Keys to SSH Agent

Once you have started the SSH agent, the next step is to add the private key to the SSH agent. You can do so by running the following command. The identities of the keys are cached into the SSH agent.

ssh-add

If you have multiple keys you can add arguments along with the "ssh-add" command. For example - "ssh-add1" can add th first private key. If you do not add any argument the default key is added. 

 

Deleting keys from SSH agent

The key identities can be deleted from SSH agent by running the following command.

ssh -add -d path_of_the key

(If you want to delete all the identities use the "-D" argument.)


Agent Forwarding 

Since we now have a basic understanding of SSH agent, let us move on to SSH agent forwarding. As we know that SSH client interacts with SSH agent for authentication purposes on the local machine. However, under some conditions, SSH client can also interact with SSH agent on the remote machine. Let us explain it with an example.

1. Suppose we are sitting at a computer L and want to SSH a remote server R, the SSH agent installed on L will authenticate the connection with the private key stored in L. 

2. Now let us suppose we want to copy a file from R to another server P sitting at location L. When we try to do that, the SSH agent at L successfully carries out its function and establishes a connection from L to R, but the connection from R to P is not established as the R does not have the private key of L. This situation can be easily dealt with by SSH agent forwarding.

 

Enabling Agent Forwarding

When Agent forwarding is enabled, the remote server R acts an SSH agent. The local machine L sends a request to the remote server for turning ON agent forwarding. When the request is accepted, the remote machine R acts as an SSH agent. When R wants to set up a connection with P, P interprets R as an SSH agent and establishes a connection. There are some options for turning the agent forwarding ON.

1. The SSH configuration file is stored in "~/.shh/config". Change the parameter "ForwardAgent" contained in the configuration file to "yes".

2. You can use the command line to enable agent forwarding.

ssh -o "ForwardAgent yes"

 

Security concerns regarding agent forwarding

Agent forwarding is a very common process for many server related activities like server deployment. During the agent forwarding, the private key of the local machine does not appear on the remote server. A user accessing the remote server cannot obtain the private key of the local machine.  

However, agent forwarding is not recommended as it comes with a slight security risk. All the information regarding the keys are forwarded to the remote host and any user with right privileges can use the authentication information to access the connection. Hence, it is not advised to implement agent forwarding until you trust the remote server completely. 

Was this reply helpful?

Related topics

  • SSH Port Forwarding
  • How to generate SSH Keys on Linux?
  • How to remotely connect to a Linux machine using a smartphone?
  • Unable to Access The Server Via SSH
  • SSH Reverse Tunnel
  • SSH File Transfer
  • SSH Keys - Create
  • Start SSH server?
  • Generate SSH Key
  • cVirtual Connect from Windows
  • Tools That Make Kubernetes Easier
  • Theft of Cryptocurrency of MyEtherWallet users by BGP Hijack
  • How To Setup Application Load Balancer Using CDN
  • CDN and Load Balancer: Ultimate combination for efficient content delivery
  • Best Open Source Monitoring Tools For Server
Copyright © 2025 Psychz Networks,
A Profuse Solutions Inc Company
Hosting Services
Infrastructure
  • iColocation
Compute
  • cMetal
  • cVirtual
Storage
  • sObject
  • sBlock
Networking
  • nCDN
  • nIP Transit
  • nWavelength
Protection
  • pBackup
  • pDDoS
Company
  • About Us
  • Blog
  • Careers
  • Contact Us
  • Data Centers
  • Looking Glass
  • Network
  • Reseller
Policies
  • Acceptable Usage Policy
  • Privacy Policy
  • Service Level Agreement
  • Terms and Conditions
Support
  • Community
  • Knowledge Base
  • Open A Ticket
Get In Touch
  • Psychz Networks,
    A Profuse Solutions Company
    611 Wilshire Blvd #300
    Los Angeles,California 90017
    USA
  • US/Canada: 800-933-1517
  • International: 626-549-2801