As mentioned in a previous post, Secure Shell (SSH) is a tool for secure system administration, file transfers, and other communication across the Internet or other untrusted networks. When implementing SSH keys to allow the use of encrypted public key authentication to eliminate the manual login process in a large number of hosts, you will probably face the challenge regarding how to jump from server to server without any further authentication or probably missing the correct keys on the host from where you want to launch your SSH session. Here is where ssh-agent comes in handy as a helper program. The ssh-agent besides using keys for proper authentication leverages the agent forwarding capabilities implemented on the SSH protocol to create a form of single sign-on (SSO).
Remember that you will always need your public key copied to your final destination host to automate the login process. You can copy the keys manually or use the handy ssh-copy-id command as shown in my previous post to open a passwordless session using the ssh command.
ssh -i [file...] user@hostnameThings get more interesting when you are already connected to host-1 and from there you want or try to connect to host-2, and host-1 doesn’t have the key to connect without a password to host-2. Let us see now how the ssh-agent will take care of this situation using a Linux computer for our demonstration.
First, on your Linux computer, you can start the ssh-agent automatically via .bashprofile or create a systemd user service, but that goes beyond the scope of this post. For this discussion, I will start the ssh-agent interactively using the following command.
eval 'ssh-agent'Next, the ssh-add command will add your id_rsa private key available under the /.ssh directory. If needed you can always create any required SSH keys, add them to the agent and list them using the following commands.
ssh-add [file ...]
ssh-add -lAn additional task is required for the ssh-agent to work properly, the ForwardAgent option must be set to yes on the .ssh/config file.
# Default config for all hosts
Host *
Port 22
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
ServerAliveInterval 60
ServerAliveCountMax 30
IdentitiesOnly yes
ForwardAgent yes
After loading the ssh-agent, adding your keys, and editing your config file, you can still log in from your computer to any of your remote hosts where your public keys were previously copied, in the same way as you normally do use the ssh command.
ssh user@192.168.1.5
ssh user@192.168.1.6Without ssh-agent on your local computer, if you try to connect from host-1 (192.168.1.5) to host-2 (192.168.1.6), you will need to type the password to login to host-2, because host-1 does not have the key to connect to host-2. Now with the help of ssh-agent, you should be able to connect without typing your password. The ssh-agent did forward your local key to host-1 to finally log in without a password to host-2.
Additionally, you can connect to host-2 via a single command using the pseudo-terminal ssh -t option.
ssh -t user@192.168.1.5 ssh user@192.168.1.6For the last example, I would shorten the command a little bit more using the convenience of SSH aliases on the config file.
# Config as per host
Host host-1
HostName 192.168.1.5
User user
IdentityFile ~/.ssh/id_rsa
Host host-2
HostName 192.168.1.6
User user
IdentityFile ~/.ssh/id_rsa
The SSH aliases will let you “jump” directly from your computer to host-2 using the ssh -J [destination] option like this.
ssh -J host-1 host-2The ssh -J [destination] option will forward automatically your key and also the configuration information to host-1 and you will be able to reach your final destination on host-2 without typing the password, or the fully qualified domain name (FQDN) or IP address of host-2.
The Ad-Hoc Lab 