9.4 Using agent forwarding
Agent forwarding is a mechanism that allows applications on your SSH server machine to talk to the agent on your client machine.
Note that at present, agent forwarding in SSH-2 is only available when your SSH server is OpenSSH. The ssh.com
server uses a different agent protocol, which PuTTY does not yet support.
To enable agent forwarding, first start Pageant. Then set up a PuTTY SSH session in which ‘Allow agent forwarding’ is enabled (see section 4.22.6). Open the session as normal. (Alternatively, you can use the -A
command line option; see section 3.8.3.10 for details.)
If this has worked, your applications on the server should now have access to a Unix domain socket which the SSH server will forward back to PuTTY, and PuTTY will forward on to the agent. To check that this has actually happened, you can try this command on Unix server machines:
unixbox:~$ echo $SSH_AUTH_SOCK
/tmp/ssh-XXNP18Jz/agent.28794
unixbox:~$
If the result line comes up blank, agent forwarding has not been enabled at all.
Now if you run ssh
on the server and use it to connect through to another server that accepts one of the keys in Pageant, you should be able to log in without a password:
unixbox:~$ ssh -v otherunixbox
[...]
debug: next auth method to try is publickey
debug: userauth_pubkey_agent: trying agent key my-putty-key
debug: ssh-userauth2 successful: method publickey
[...]
If you enable agent forwarding on that SSH connection as well (see the manual for your server-side SSH client to find out how to do this), your authentication keys will still be available on the next machine you connect to - two SSH connections away from where they're actually stored.
In addition, if you have a private key on one of the SSH servers, you can send it all the way back to Pageant using the local ssh-add
command:
unixbox:~$ ssh-add ~/.ssh/id_rsa
Need passphrase for /home/fred/.ssh/id_rsa
Enter passphrase for /home/fred/.ssh/id_rsa:
Identity added: /home/fred/.ssh/id_rsa (/home/simon/.ssh/id_rsa)
unixbox:~$
and then it's available to every machine that has agent forwarding available (not just the ones downstream of the place you added it).