SSH Agent Forwarding is a feature of SSH that allows you to use the private keys stored locally on your PC to connect to remote servers that are usually not directly accessible. This means that you don’t have to copy your SSH keys onto a “bastion host” or “jump box” ( Bastion hosts are usually public-facing, hardened systems that serve as an entry point to systems in a private network, behind a firewall, or other restricted location ). I like to think of it as “storing your SSH private keys in memory” and they are available whenever you want to use them within that SSH session. Here’s how to use it.
Imagine the following network set up:
- Home laptop with an internet connection.
- Bastion host in an AWS Private network (VPC) that you can access over the internet at the IP address 18.104.22.168.
- Application server in a private subnet within the same VPC accessible at the private IP 192.168.2.253
- The only way to access the app server is to go through the bastion host since the app server cannot be access over the internet using it’s private IP ( networking basics here “public vs private IPs” ).
- You connect to the Bastion server using the SSH key “bastion.pem”
- You connect to the Application server using the SSH key “app.pem”
- Both SSH keys are stored on the home laptop.
You can use SSH agent forwarding to connect to the backend server by following these steps (click to jump to section):
- SSH Agent Forwarding in a Bash Terminal
- SSH Agent Forwarding Using MobaXterm
- SSH Agent Forwarding Using Putty on Windows
1. SSH Agent Forwarding in a Bash Terminal
1. Start the SSH agent. This is a small background program that that actually stores your SSH keys in memory.
$ eval $(ssh-agent)
2. Add both keys to the ssh-agent.
$ ssh-add "/path/to/key/bastion.pem"
$ ssh-add "/path/to/key/app.pem"
You can verify that the keys are added to the ssh-agent by running this command:
$ ssh-add -l
3. Connect to the Bastion host and make sure to add “-A” to forward the ssh agent. If you don’t add the “-A” flag then the ssh agent will not be forwarded (i.e. the keys will not be added to “memory”). Additionally, since the SSH keys have been added to memory, you don’t have to specify the SSH key itself using “-i” because SSH will automatically attempt to use all the SSH keys that are saved in the ssh-agent.
$ ssh -A firstname.lastname@example.org
4. Once you are logged into the bastion server, you can run “ssh-add -l” and you will see the two keys are still there. Now run the following command to connect to the backend server. This time you can leave out “-A” since we don’t need it on the application server. Since the keys are already “in memory”, we don’t need to specify the application server key using “-i”.
$ ssh email@example.com
NB 1: These exact same steps will work if you are using the local terminal in MobaXterm. You can copy yout keys into MobaXterm’s “Home” directory which is usually under the user’s “Documents” folder . You can paste this into your Windows Explorer address bar.
NB 2: You can update your .bashrc or .profile files to automatically start the SSH agent and add your keys to it when you log into the terminal.
2. Using MobaXterm
1. Open MobaXterm and at the top menu, select “Settings” > “Configuration” > “SSH” tab
2. You can use MobaXterm’s internal SSH agent or you can use Putty’s Pageant. In this case we will use the internal ssh agent so make sure to tick “Use internal SSH agent MobAgent”, and “Forward SSH Agents” and untick “Use external Pageant”.
3. Add your SSH keys (.pem) to the agent by clicking the “+” icon and click OK when you’re done. This may restart the MobaXterm application.
4. Now you can SSH to your servers either using MobaXterm’s local terminal the same way you would use a bash terminal or by creating the “SSH sessions”. Once again, you don’t have to specify the keys when connecting if you have already added them to the SSH agent.
3. Using Putty on Windows
1. The ssh agent when using Putty is a program called “Pageant”. Start this “Pageant” program by searching for it in the Start menu and running it. In some cases it might be already running in the system tray.
2. Add your SSH keys (.ppk keys since this is Putty) in the Pageant application
3. Open Putty Configurations > Connection > SSH > Auth and tick “Allow agent forwarding”. This is analogous to “-A” when using the ssh command in bash.
4. Connect to the bastion server using the server IP and username (no need to specify ssh key since it is already in “memory” in the ssh-agent.pageant)