yakking/ posts/ Using ssh -A for ssh agent forwarding by Lars Wirzenius
Shell Variables | posts | Input and Output redirection
Apr 2024
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Blog

Contributors

Recent Comments

Archives

Suggestion box

Tags

Blogtrottr

Non-article content is copyrighted to the regular contributors. Articles are copyright to their authors. Comments on articles are copyright the comment's author.

By contributing a comment to the site you implicitly grant the same licence to your comment as is shared by the rest of the site.

Creative Commons Licence
Yakking Blog by Yakking Team is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

You mustn't put personal ssh private keys on shared systems or servers. It is a pretty serious security risk: if anyone else has access to the system, they have access to your ssh private key, and may be able to use that to impersonate you.

You can mitigate that by setting a passphrase on your ssh private key. However, passwords can be guessed, or broken by various methods. It is very hard to remember, or type, a passphrase that can't be broken by a determined adversary.

Worse, you'll need to type the passphrase every time you use ssh, and that gets quite annoying after a while. This, of course, encourages using short, weak passphrases.

The solution to having to type a passphrase often is to use an ssh agent. The agent effectively remembers the passphrase for you, saving a lot of repeated typing.

You should run the agent on your own system: your laptop or desktop machine. Your ssh on the server or shared system can then connect to that agent to authenticate further.

There are still some security risks with this; see below.

How to use ssh agent forwarding

Instead of putting an ssh key on a remote computer, log into the computer with ssh -A. This forwards the connection to your ssh agent to the remote computer. When you run ssh on the remote computer to log into an other server, the login can happen using the ssh agent on your local computer (laptop) using the key on your local computer. All the login related computation with the ssh private key happens on your local system.

  • You run ssh-agent on your laptop.
  • You log into your server, mine.example.com, with ssh.
  • You log from mine.example.com to another server, git.example.com, also using ssh.
  • The ssh client running on mine.example.com connects to the ssh agent running on your laptop, to authenticate to git.example.com.

This way, your ssh private key only ever exists on your laptop. It does not ever leave your laptop. Only your laptop can actually authenticate you to another system.

If you're using any of the common Linux desktop environments, you're already using an ssh agent locally. It is set up for you and used automatically.

On security

Forwarding an ssh agent carries its own security risk. If someone on the remote machine can gain access to your forwarded ssh agent connection, they can still make use of your keys. However, this is better than storing keys on remote machines: the attacker can only use the ssh agent connection, not the key itself. Thus, only while you're logged into the remote machine can they do anything. If you store the key on the remote machine, they can make a copy of it and use it whenever they want.

You can protect yourself against this too, by using ssh-add -c. See the manual page for details.

You need to be careful and not use ssh agent forwarding except when you need to log in via ssh from the remote machine, and the remote machine is reasonably trusted.

Whenever you can, don't log in from one machine to another and from there to a third one. Always log in directly from your machine to the other.