1

Suppose I have 4 machines, local, dmz, remote1, and remote2. I want to ssh from local to dmz then into remote1 and then scp a file from remote1 to remote2. Can I use ssh-agent forwarding to allow me to do this without managing any public/private keys other than putting my local public key on the other 3 boxes?

Right now I have ForwardAgent yes in ~/.ssh/config for all Hosts, plus AllowAgentForwarding yes in sshd_config on all boxes except local. With this configuration I'm able to get to remote1, but trying to ssh from remote1 to remote2 fails. This seems to be because the private key from my local machine is not available to the agent on remote1. Is there any way to expose the key forwarded by an upstream agent to ssh-agent running on the target server?

My assumption is that this is not possible, but a confirmation or suggestion otherwise would be appreciated.

EDIT:

In response to Spack's question, SSH_AUTH_SOCK is something like /tmp/ssh-45ZbsZLLc9/agent.19470 on all the non-local boxes.

Mike Deck
  • 173
  • 1
  • 7
  • 1
    What's the output of `echo "$SSH_AUTH_SOCK"` on remote1? Check also the `/etc/ssh_config` file on each host. – Spack Apr 18 '13 at 23:19
  • @Spack what do I need to check in ssh_config? – Mike Deck Apr 18 '13 at 23:43
  • 1
    You may have `ForwardAgent no` in it. – Spack Apr 18 '13 at 23:44
  • 1
    `My assumption is that this is not possible` - That is an invalid assumption. If agent forwarding and your keys are setup properly on the systems then you should be have lots of hops with no problems. – Zoredache Apr 19 '13 at 00:41

0 Answers0