ssh Agent Forwarding Steckerhalter's ƛ

Quite often it is necessary to ssh via an intermediate host if the destination host is not directly accessible through ssh. Usually people do this:

ssh user@host1
ssh host2
# you'll have to enter your password

Now if the second host allows password auth this works, but if it allows only key-based auth it’s even worse because you need make host2 accessible from your user account on host1.

A slick workaround for this which solves both problems is to use the so called Agent forwarding:

-A      Enables forwarding of the authentication agent connection.  This
         can also be specified on a per-host basis in a configuration

         Agent forwarding should be enabled with caution.  Users with the
         ability to bypass file permissions on the remote host (for the
         agent's UNIX-domain socket) can access the local agent through
         the forwarded connection.  An attacker cannot obtain key material
         from the agent, however they can perform operations on the keys
         that enable them to authenticate using the identities loaded into
         the agent.

Then the whole thing looks just like that:

ssh -tA user@host1 "ssh host2"

It saves time and makes you happy. -t needs to be added because ssh will not request a pseudo terminal otherwise which means you will not get a proper shell prompt on the other end.