SSH authentication forwarding allows you to use private key on your local machine to connect to other machines. For example if the only way you are allowed to access Linux/Unix servers in your environment is through a bastion host follow the steps below.

We are assuming that you already have a private key and that the public key has already been deplpoyed to the bastion host as aswell as the servers you are trying to connect to.

In the example below I have a bastion host in AWS that allows connectivity to SSH via the public Internet. I also have a hosts in AWS that can only be reached via the bastion host.

Bastion Host IP Address: 54.82.255.188

Internal Server IP Address: 10.0.3.126

First add your private key using the ssh-add command and pass the -K switch. The -K switch allows you to store the key in the user’s key-chain.

# ssh-add -K myprivatekey.pem
Identity added: myprivatekey.pem (myprivatekey.pem)

Check that you key has successfully been added

# ssh-add -l
2048 SHA256:5vSP/1xL300000000000000006QjFgiEuUabiiaUEb0 myprivatekey.pem (RSA)

Now SSH to your bastion host using -A switch. The -A switch allows you to forward authentication agent connection.

# ssh -A [email protected]
Last login: Thu Nov 29 11:24:07 2018 from mypublicip.address

__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|

https://aws.amazon.com/amazon-linux-2/

Once you have successfully logged in to your bastion host, you should be able to successfully login to your other servers.

[ec2-user@ip-10-0-1-122 ~]$ ssh [email protected]
The authenticity of host ‘10.0.3.126 (10.0.3.126)’ can’t be established.
ECDSA key fingerprint is SHA256:UqTsfdfsfsfsfsfIU9MwakzobDtzDqFTvNGyfLczBfg.
ECDSA key fingerprint is MD5:33:00:00:75:94:be:00:00:be:54:11:f0:68:29:ec:8b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.3.126’ (ECDSA) to the list of known hosts.

__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-10-0-3-126 ~]$