ssh Agent Forwarding Steckerhalter's ƛ
Quite often it is necessary to ssh via an intermediate host if the destination host is not directly accessible through ssh. Usually people do this:
ssh user@host1 ssh host2 # you'll have to enter your password
Now if the second host allows password auth this works, but if it allows only key-based auth it’s even worse because you need make
host2 accessible from your user account on
A slick workaround for this which solves both problems is to use the so called Agent forwarding:
-A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
Then the whole thing looks just like that:
ssh -tA user@host1 "ssh host2"
It saves time and makes you happy.
-t needs to be added because ssh will not request a pseudo terminal otherwise which means you will not get a proper shell prompt on the other end.