SSH Agent and Agent forwarding

Source: Internet
Author: User
Tags chmod unix domain socket ssh server

Take out the ssh-agent, because as the company's springboard program is implemented, Ssh-agent will be used on a large scale or covertly. Understanding how it works helps me understand the deployment and operations involved, and how to safely drop applications.

Like other Linux software, the best information is written in English, SSH authentication and user management, there is a good series: Http://, Search Brian Hatch, the red Guest.

Ssh-agent exactly how it works. Here are 2 paragraphs e, from the description we can illustrate. Excerpt from Brian Hatch's article

One of the nice things about the "agent is" it can follow you as your SSH from machine to machine. The default in newer versions of OpenSSH are to disable agents forwarding by default and so you'll need to decide when it ' s COR Rect for and specify it appropriately.

How does the agent forwarding actually work? In short, the "agent is" running on one machine, and all the SSH with agent forwarding, the server creates a ' tunnel ' Back through the SSH connection to the agent so it's available for any further SSH connections.

Let ' s say we ' re on our desktop, we SSH to a Management Server with Agent forwarding, and from the Management Server SSH T o our mail server. Here's what happens: /usr/bin/ssh on your desktop connects to the Management server, authenticates, and request S agent forwarding. /usr/sbin/sshd on The Management Server creates a socket In /tmp/ssh-xxxxxxx/agent.##### and sets the& nbsp Ssh_auth_sock environment variable to match. The SSH daemon then starts up your shell, and you begin doing your to work on the Management server. When you are decide to SSH out to the mail server, The /usr/bin/ssh program (here on the Management Server) sees the  ssh_auth_sock environment variable and connects to this local socket file. The SSH daemon, who's the other end of the local socket /tmp/ssh-xxxxxxx/agent.#####, simply transfers data From&nbs P;/usr/bin/ssh on the Management Server to and from The ssh-agent running on your desktop. All thE key mathematics are handled on the actual agent, which are running on your desktop, not on any of the intervening machine S. The agent authenticates to the "mail server" and "re in."

Using Agent forwarding can save you a lot of the time and typing.

2. Excerpt from Putty Manual

Agent forwarding is a mechanism this allows applications on your SSH server machine to talk to the agent on your client MA Chine.

Note this at present, the agent forwarding in SSH-2 are only available when your SSH server is OpenSSH. The server uses a different agent protocol which PuTTY not does yet.

To enable agent forwarding, the start pageant. Then set up a PuTTY SSH sessions in which ' Allow agent forwarding ' is enabled (the "section 4.20.6"). The Open session as normal. (Alternatively, you can use the THE-A command line option, and the for details.)

If This is has worked, your applications on the server should now have access to a Unix domain socket which the SSH server wi ll forward back to PuTTY, and PuTTY'll forward on to the agent. To check the this has actually happened, the can try this command on Unix server machines:

If The result line is comes up blank, agent forwarding has is not been enabled in all.

Now if you run SSH on the server and use it to connect through to another server that accepts one of the keys in pageant, You are able to log in without a password: should

If you enable agent forwarding in that SSH connection as OK (the manual for your server-side SSH client to find out How to does this), your authentication keys would still be available on the next machine connect to-two SSH connections Away from where they ' re actually stored.

In addition, if your have a private key on one of the SSH servers, you can send it all the way back to pageant using the LO Cal Ssh-add Command:

And then it's available to every machine this has agent forwarding available (not just the ones downstream of the place yo U added it).

Add a few more words, add a picture.

At the bottom of the client, the SSH client that you started with, put the ssh-agent up (see Brian Hatch's article, or my follow-up article), and also the agent forwarding. Note that this is not the same thing, ssh-agent only to store the decrypted key, if SSH selected PublicKey authentication method, SSH client will automatically go (or through configuration) ssh-agent inside the key, the purpose is to eliminate the trouble of decryption private. And agent forwarding will let SSH client to SSH server request forwarding, and then can achieve n times ssh jump without the purpose of entering a password.

After the SSH client is done with the two, you can use it. From a machine ssh to B machine to C machine, unimpeded, no password. If you want to go from C to D again, you have to make the agent forwarding on B, in order to build a local socket and set the SSH_AUTH_SOCK environment variable after SSH Server C receives the agent forwarding. Provides convenience for using SSH client on Server C again. Finally, the virtual view, generated a secure channel to transfer private key, in device C on the SSH client, device a ssh-agent appears to run on the same as local.

For SSH client, if you see the environment variable for the SSH_AUTH_SOCK environment variable is set, it thinks you can connect to the local socket and take the private key from Ssh-agent This ssh-agent may run locally or on other machines (key transmission relies on SSH tunnel)

Just look at a picture and see.

First step: Start Ssh-agent, this program will create a socket for ssh-agent communication with SSH, export

Ssh_auth_sock and Ssh_agent_pid, so that the SSH client knows that Ssh-agent is started, and if the SSH client is properly configured, it will take the key from Ssh-agent.

The second step: SSH to device B, because SSH with the ssh-agent inside the key, you do not have to enter the password. Because the SSH client requested the agent Forwarding,sshd will create a socket, this socket is temporarily useless, and then the 3rd step to use

Step three: From Device B to SSH to the device C,ssh noticed the presence of Ssh_auth_sock, connected to the socket, so that SSH (a)->sshd (b)->ssh (b) formed a channel to transmit the key. Ssh-b like the local ssh-agent to deal with the ssh-agent above a.

Fourth step: SSH (B) and sshd (C) for PublicKey authentication, because the private key is from device A above ssh-agent take, so also do not need to enter a password.

It can be seen that in order to enable agent forwarding, the operation to be done primarily on the SSH client side, the middle of the SSH server if it is opensshd automatically support, no need for additional changes. Use guide 1.linux Start up ssh-agent. can have it create a subprocess which inherits the Ssh_auth_sock environment, or you can run it as a variable.

Since I run GDM on Debian, ssh-agent are started automatically when I log in. If you don ' t have this benefit, you can get it by putting the following line at the end of your. xsession file (You can Su Bstitute your window manager for Gnome-session if this is what to use):

Ssh-agent gnome-session

Which basically means that ssh-agent starts up, creates a socket, sets up a couple of environment variables and then start s up gnome-session. That's way all of the programs run in Gnome have access to the agent.

The above solution is the best one if you are are logging in via GDM or another graphical login manager under. However, if you login in the console, or want to use ssh-agent under Cygwin, and you'll have to use one of the following Solut ions.

If you are want to, say, put it in your. Profiles, then you might try the following setup. In my. Bash_profile, I have

sshagentargs= "-S"
if [-Z "$SSH _auth_sock"-a-x "$SSHAGENT"]; then
  eval ' $ Sshagent $SSHAGENTARGS '
  trap ' kill $SSH _agent_pid ' 0

(If you use CSH or TCSH, the "equivilent piece of code for your. Login shell.)

This brings ssh_auth_sock and ssh_agent_pid as environment variables to the current shell.

The trap should kill off any remaining ssh-agent process. If it doesn ' t, you won ' t want the ssh-agent daemons sitting-around, so you might want the following. Your:

Kill $SSH _agent_pid

An alternative, provided by John Buttery, is

if [${ssh_agent_pid+1} = = 1]; Then
   ssh-agent-k >/dev/null 2>&1
   unset ssh_agent_pid unset ssh_auth_sock

Finally, this solution from Joseph M. Reagle by way of Daniel Starin:

ssh_env= "$HOME/.ssh/environment"

function start_agent {
     echo initialising new SSH agent ... "
     /usr/bin/ ssh-agent | Sed ' s/^echo/#echo/' > ' ${ssh_env} '
     Echo succeeded
     chmod ' ${ssh_env} '
     . "${ssh_env}" >/dev/null

# Source SSH settings, if applicable

if [f ' ${ssh_env} ']; then
     .  "${ssh_env}" >/dev/null
     #ps ${ssh_agent_pid} doesn ' t work under Cywgin ps-ef
     | grep ${ssh_agent_pid} | grep ssh-agent$ >/dev/null | | {

This was especially nice since it'll if you ' ve already started ssh-agent and, if it can ' t find it, would Start it up and store the "so" they ' ll be usable "next time for your start up a shell.

(Update Sep 2007:adam Piper pointed out of that quoting anything this uses $HOME is necessary on Cygwin.) Finally, time to type a password. The last one is session, maybe.

$ ssh-add ~/.SSH/ID_DSA
Need passphrase For/home/mah/.ssh/id_dsa (
Enter Passphrase:
Now, you should test it:
$ ssh last
login:tue Apr 13:40:21 1492 from
Sun Microsystems Inc.   SunOS 5.7       Generic October 1998
No Mail.

jubilation! It worked! Go forth and conquer! (If it doesn ' t work, try Chmod-r GO-RW ~/.ssh on the server and try again.) In above steps, we are ssh-agent to hold keys and elimilate the trouble to either assign private key in SSH command The or type encrypt phrase everytime the private key is utilized. But This would is not make agent forwarding along the way.
To make agent forwarding really happen in the logged-in server, we need to enable forwardagent option on SSH client (note: Not SSH server to is ' yes '

Turn on agent forwarding globally

Unless you have a good reason to forward the agent by default, and should verify that the agent forwarding was disabled by Default. Locate the global ssh_config file, which typically lives in/etc/or/etc/ssh/and make sure you have the following:

Host * Forwardagent Yes

This would enable ssh-agent forwarding.

Agent forwarding on the command line

To forward your agent via the command line, just include A-A flag:

desktop$ ssh-a user@remotehost

THE-A option disables agent forwarding, which is the default.

Agent forwarding via the config file

If you are have a host to which your always wish to forward your agent, without the trouble of supplying the-a, and you can C reate entries in ~/.ssh/config to turn it's for these hosts:

$ Cat ~/.ssh/config

Host Shellserver forwardagent Yes

Host Management-server forwardagent Yes

Host * Forwardagent No

Although the restrictive Host * section should is already contained in the global ssh_config file, I prefer to have it in My personal copy regardless.

How to know ssh-agent works.

1. Ensure ssh-agent is activated on SSH client (assuming host penghongqing-desktop)

Ps-ef | grep ssh-agent

2. Confirm that private key is managed by ssh-agent on SSH client


3, confirm the SSH_AUTH_SOCK environment variable is placed on SSH client

Echo $SSH _auth_sock

4. In the springboard (assuming the host name is cnbj-ctc-ops01-trf0002) above confirm that the SSH_AUTH_SOCK environment variable is set

5. When starting SSH on the springboard, use verbose mode, and view the private key from that host.

penghongqing@cnbj-ctc-ops01-trf0002:~ $ssh-VVV ubuntu@


Debug1:ssh2_msg_service_accept received

Debug2:key:penghongqing@penghongqing-desktop (0x7f04a4ebde50) ============> from here you can see that private key is not taken locally from the springboard, It was taken from the host of the first SSH client.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.