Friday, December 12, 2008


Periodically I'll learn something so useful I immediately wish I'd known it years ago, and so simple I'm almost ashamed to admit it was news to me. UNIX systems in general, and Linux in particular, seem to be especially good at coming up with such things. Yesterday was one such experience, when I learned about SSH's ForwardAgent option.

SSH agents let you use passphrase-protected SSH keys without typing in your passphrase all the time. If I connect from Host1 to Host2 via SSH, Host2 sends me a key challenge and my SSH agent answers it authenticate me. But if I then use SSH to go from Host2 to Host3, by default I need to either type a password on Host3 (which is annoying and not terribly secure) or copy my private key to Host2 (which is annoying and terribly not secure) (yes, I meant to write it that way).

ForwardAgent (configured in ssh_config) allows Host3 to send a key challenge to Host2, and Host2 to forward the challenge to the SSH agent living on Host1. It's as if my private key followed me wherever I went. Neat :)

No comments: