What is SSH Agent Forwarding?

SSH Agent Forwarding allows us to forward our local key when we’re logged in on a remote server without copying it off of the local machine.

This comes in handy in a lot of cases. For example, we’re currently deploying a new version of our software on a remote server. For that, we’re using git to pull the latest version from the remote GitHub repository via SSH. SSH needs our private key for this, but we don’t want to copy it off our machine.

Agent forwarding allows us keep our private key private but still use it on remote machines. Usually, we’d connect to our web server like this:

$ ssh deploy@production.example.com -i .ssh/id_rsa

We can execute commands on the remote server, but when we want to use our private key, it’s not present:

# on the remote server
$ ssh-add -L
The agent has no identities.

ssh-add -L allows us to check which SSH Keys are currently added to ssh-agent.

Let’s exit the current ssh session and do it again:

$ ssh deploy@production.example.com -i .ssh/id_rsa -A

This time, we’re using an additional parameter (-A). -A tells ssh to forward our current agent. On the remote machine, let’s check our keys again:

$ssh-add -L
ssh-rsa AAAA...

Now, we see that the private key from our local machine is available in our ssh session. It is not physically present on the server though. Whenever we execute commands that uses ssh, the key is in scope now.