SSH Agent Forwarding allows us to forward our local key when we’re logged in on a remote server without copying it off of the local machine.
This comes in handy in a lot of cases. For example, we’re currently deploying a new version of our software on a remote server. For that, we’re using git to pull the latest version from the remote GitHub repository via SSH. SSH needs our private key for this, but we don’t want to copy it off our machine.
Agent forwarding allows us keep our private key private but still use it on remote machines. Usually, we’d connect to our web server like this:
$ ssh firstname.lastname@example.org -i .ssh/id_rsa
We can execute commands on the remote server, but when we want to use our private key, it’s not present:
# on the remote server $ ssh-add -L The agent has no identities. $
ssh-add -L allows us to check which SSH Keys are currently added to
Let’s exit the current ssh session and do it again:
$ ssh email@example.com -i .ssh/id_rsa -A
This time, we’re using an additional parameter (-A). -A tells
ssh to forward our current agent. On the remote machine, let’s check our keys again:
$ssh-add -L ssh-rsa AAAA...
Now, we see that the private key from our local machine is available in our ssh session. It is not physically present on the server though. Whenever we execute commands that uses ssh, the key is in scope now.