Skip to content

Instantly share code, notes, and snippets.

@leehambley

leehambley/SSH Keys Advice.markdown Secret

Created May 27, 2009 12:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save leehambley/0c7ce864bd9c2024e599 to your computer and use it in GitHub Desktop.
Save leehambley/0c7ce864bd9c2024e599 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SSH Keys Advice.markdown

SSH Agent Forwarding. The result of agent forwarding is that you should be able to "take" your SSH key with you throughout a server connection chain... without agent forwarding, you can get as deep as one server, then it you wanna SCP/copy some files from another server, you get PDd by needing to have a password...

The solution is to use an ssh-agent, by default on OS X one is running anyway, and will load any keys that match the following names:

~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of the user.

~/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.

~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.

If your SSH key doesn't fit that name (I have loads of keys!) then you'll need to add it with "ssh-add " e.g:

$ ssh-add ~/.ssh/id_rsa_work
 Identity added: /Users/<username>/.ssh/id_rsa_work
 (/Users/<username>/.ssh/id_rsa_work)

You can then verify that this has been loaded into the agent, with "ssh-add -l" example:

$ ssh-add -l
 2048 af:ce:7e:c5:93:18:39:************27:3a:50:3b:60
 /Users/<username>/.ssh/id_rsa (RSA)
 1024 c9:1f:95:49:5d:b6:45:************67:9c:71:2d:4b
 /Users/<username>/.ssh/id_dsa (DSA)
 2048 17:c8:20:65:27:8f:ea:************23:0d:6e:64:9c
 /Users/<username>/.ssh/id_rsa_work (RSA)

You can see, in my example, I have three keys loaded... you shouldn't have to worry about the "ssh-add" step though, as we use standard key names in our files.

To ensure you get an agent forwarded, you'll need a line like this in your ~/.ssh/config file:

Host *
  ForwardAgent yes

That will toggle on the host forwarding on every host you connect to, if you don't want that to be the case, for any servers you don't trust (3rd party server, data provider, iffy client, etc) - you can put the opposite under a specific host entry to negate the setting for that host.

For ubuntu users, at least the ssh-agent runs automatically, according to this blog post:

For OS X users, we get an automagic agent too:

For Windows users:

To test that your agent forwarding is working, you should find that the following outputs a filename, in /tmp or similar...

$ echo $SSH_AUTH_SOCK
 /tmp/ssh-KKpDr10996/agent.10996

That should be a real file, and if you file it - it should report as being a socket... now forget about that file.

$ file `echo $SSH_AUTH_SOCK`
 /tmp/ssh-KKpDr10996/agent.10996: socket

I do not recommend anyone forwards a key/agent without a pass phrase protected private key, but to my knowledge very few of us have pass phrased keys, maybe before this can be used prolifically. I trust management will PD this advise if they wish that to be the case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment