SSH Agent Forwarding Configuration
Configure SSH agent forwarding to use your local keys on remote servers. Understand when to use ForwardAgent, its security implications, and safer alternatives.
Detailed Explanation
SSH Agent Forwarding
Agent forwarding lets you use your local SSH keys on a remote server without copying the private key to that server. This is useful when you need to pull from GitHub or access another server from within an SSH session.
Example Config
Host dev-server
HostName dev.example.com
User developer
ForwardAgent yes
IdentityFile ~/.ssh/id_ed25519
AddKeysToAgent yes
How Agent Forwarding Works
- You connect to the remote server with agent forwarding enabled
- The remote server can make requests to your local ssh-agent
- Your local agent handles key operations without exposing the private key
- The private key never leaves your local machine
Security Considerations
Agent forwarding has a significant security risk: anyone with root access on the remote server can use your forwarded agent to authenticate as you to other servers. This means:
- Only enable ForwardAgent for trusted servers
- Never enable it globally (in a Host * block)
- Consider using
ProxyJumpinstead, which doesn't require agent forwarding
Safer Alternative: ProxyJump
Instead of forwarding your agent to reach a third server:
# Instead of agent forwarding through bastion:
Host target
HostName 10.0.1.50
User deploy
ProxyJump bastion
This creates a direct tunnel without exposing your agent on the intermediate host.
Verifying Agent Forwarding
On the remote server, check that the agent is available:
ssh-add -l # Should list your keys
echo $SSH_AUTH_SOCK # Should show a socket path
Restricting Forwarded Keys
With OpenSSH 8.9+, you can restrict which keys are forwarded using ssh-add with the --confirm flag, requiring confirmation for each use.
Use Case
Developers who need to access Git repositories or other SSH-protected resources from within a remote SSH session without copying private keys to the remote server.