How to enable SSH authentication forwarding
SSH authentication forwarding allows you to use private key on your local machine to connect to other machines
SSH authentication forwarding allows you to use private key on your local machine to connect to other machines. For example if the only way you are allowed to access Linux/Unix servers in your environment is through a bastion host follow the steps below.
We are assuming that you already have a private key and that the public key has already been deplpoyed to the bastion host as aswell as the servers you are trying to connect to.
In the example below I have a bastion host in AWS that allows connectivity to SSH via the public Internet. I also have a hosts in AWS that can only be reached via the bastion host.
Bastion Host IP Address: 54.82.255.188
Internal Server IP Address: 10.0.3.126
First add your private key using the ssh-add command and pass the -K switch. The -K switch allows you to store the key in the user’s key-chain.
# ssh-add -K myprivatekey.pem
Identity added: myprivatekey.pem (myprivatekey.pem)
Check that you key has successfully been added
# ssh-add -l
2048 SHA256:5vSP/1xL300000000000000006QjFgiEuUabiiaUEb0 myprivatekey.pem (RSA)
Now SSH to your bastion host using -A switch. The -A switch allows you to forward authentication agent connection.
# ssh -A [email protected]
Last login: Thu Nov 29 11:24:07 2018 from mypublicip.address
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
Once you have successfully logged in to your bastion host, you should be able to successfully login to your other servers.
[ec2-user@ip-10-0-1-122 ~]$ ssh [email protected]
The authenticity of host ‘10.0.3.126 (10.0.3.126)’ can’t be established.
ECDSA key fingerprint is SHA256:UqTsfdfsfsfsfsfIU9MwakzobDtzDqFTvNGyfLczBfg.
ECDSA key fingerprint is MD5:33:00:00:75:94:be:00:00:be:54:11:f0:68:29:ec:8b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.3.126’ (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-10-0-3-126 ~]$