[lug] ssh-agent / ssh-add and picking up credentials used to log into remote system

Kevin Fenzi kevin at scrye.com
Mon Nov 20 18:43:44 MST 2017

On 11/20/2017 03:14 PM, Zan Lynx wrote:
> On Mon, Nov 20, 2017 at 03:31:37PM -0700, Bear Giles wrote:
>> Hi, I'm sure I had this working before but I've hit it again with a new
>> jump host on AWS. I know there's a way to set up ssh-agent and ssh-add so I
>> can carry the credentials through ssh calls but I'm missing it at the
>> moment.
>> I have 'ForwardAgent yes' in my .ssh/config file and run ssh-agent and
>> ssh-add in my .profile. (more precisely I've added "eval `ssh-agent -s`").
>> However the list of identities is empty.
>> What am I missing?
> Don't forget to turn on ForwardAgent on the jump host as well. You need
> to keep forwarding the agent.
> It's also possible that the OS on the jump host has disabled forwarding
> in the sshd for some security reason. That's AllowAgentForwarding in
> sshd_config.
> And if you've copied your profile around make sure you only run an
> ssh-agent if you don't already have one. It's possible you are running
> another one and overwriting the environment variable. The new agent
> won't have your keys.

All good things to check for this, but personally, I would advise
against using ssh-agent at all in this case. Anyone who has root on any
host you have sshed into can use your agent as they like while you are

Instead, you should just use nc on the jump host:

Host your-internal-hostname-or-ip
   HostName %h
   ProxyCommand ssh -q yourusename at your-jump-host /usr/bin/nc %h 22

This way you never have to forward your agent, instead ssh connects to
the jump host and runs nc and connects to the internal host over that.

This will of course fail to work if you have multiple levels of
things... ie, jump-host -> internal-other-jumphost -> target but it
works fine for 1 level and makes you a little bit more secure.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20171120/55c25dce/attachment.sig>

More information about the LUG mailing list