How to enable SSH authentication forwarding
SSH authentication forwarding allows you to use private key on your local machine to connect to other machines
![ssh](https://ahmedjama.com/img/2018/11/ssh.png)
SSH authentication forwarding allows you to use private key on your local machine to connect to other machines. For example if the only way you are allowed to access Linux/Unix servers in your environment is through a bastion host follow the steps below.
We are assuming that you already have a private key and that the public key has already been deplpoyed to the bastion host as aswell as the servers you are trying to connect to.
In the example below I have a bastion host in AWS that allows connectivity to SSH via the public Internet. I also have a hosts in AWS that can only be reached via the bastion host.
Bastion Host IP Address: 54.82.255.188
Internal Server IP Address: 10.0.3.126
First add your private key using the ssh-add command and pass the -K switch. The -K switch allows you to store the key in the user’s key-chain.
# ssh-add -K myprivatekey.pem
Identity added: myprivatekey.pem (myprivatekey.pem)
Check that you key has successfully been added
# ssh-add -l
2048 SHA256:5vSP/1xL300000000000000006QjFgiEuUabiiaUEb0 myprivatekey.pem (RSA)
Now SSH to your bastion host using -A switch. The -A switch allows you to forward authentication agent connection.
# ssh -A [email protected]
Last login: Thu Nov 29 11:24:07 2018 from mypublicip.address
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
Once you have successfully logged in to your bastion host, you should be able to successfully login to your other servers.
[ec2-user@ip-10-0-1-122 ~]$ ssh [email protected]
The authenticity of host ‘10.0.3.126 (10.0.3.126)’ can’t be established.
ECDSA key fingerprint is SHA256:UqTsfdfsfsfsfsfIU9MwakzobDtzDqFTvNGyfLczBfg.
ECDSA key fingerprint is MD5:33:00:00:75:94:be:00:00:be:54:11:f0:68:29:ec:8b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.3.126’ (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-10-0-3-126 ~]$