7

I'm trying to get SSH agent forwarding working from my Mac to a Debian server. On my Mac, I have verified that I have:

  • SSH_AUTH_SOCK exists
  • ssh-add -l shows my identities
  • ./ssh/config has settings to enable ForwardAgent

Passwordless login to the remote server works fine. However, none of my identities are available there and the SSH_AUTH_SOCK is empty.

I'd like to understand how this gets set up in the remote environment, and what am I missing to make it work?

Update:

My server is set up with AllowAgentForwarding=yes in sshd_config and ForwardAgent=yes in ssh_config.

I found some tutorials that suggest running eval ``ssh-agent, so I tried that but I suspect this is meant for the client machine. This did set up a SSH_AUTH_SOCK when I ran it on my server, but it doesn't seem to connect back to the client agent, and it says "The agent has no identities".

Improve this question

3 Answers 3

Reset to default
7

On my Mac with OS 10.6.x I found that agent forwarding didn't work until I added my key to the Apple keychain, with the following:

ssh-add -K ~/.ssh/id_rsa

where ~/.ssh/id_rsa contains my private ssh key

I've a blog entry about setting up ssh host configuration entries to simplify ssh command-lines that may be of interest

Improve this answer
3
  • Thanks, I had figured it out a while back: your answer is the correct solution on a Mac client. Commented Jul 30, 2011 at 22:18
  • 1
    Updated URL: nickager.com/blog/2011/03/31/Simplifying-SSH-command-lines Commented Jan 14 at 20:44
  • @PaulWaldo Thanks for the updated URL; I've editted it in to the original post. Commented Apr 30 at 9:21
3

The server also has to enable agent forwarding.

Improve this answer
1
  • I've tried setting AllowAgentForwarding yes in sshd_config and restarting ssh on the server. I still get the error "Could not open a connection to your authentication agent" when I try to do anything from the server. Commented Nov 3, 2010 at 5:46
2

The client that runs the agent needs to have agent forwarding enabled. Not the server.

Never enable it globally, but on a per-host basis in ~/.ssh/config:

Host myserver.foo.local ForwardAgent yes

Or use the -A option when connecting:

ssh -A myserver.foo.local
Improve this answer
2
  • 1
    Thanks for your answer. Yes, I already have my .ssh/config configured this way. I see SSH_AUTH_SOCK on my end, but not inside the SSH session. I was trying to understand what part of the client/server environment is responsible for setting up that socket, since I'm not seeing it. Commented Nov 6, 2010 at 9:22
  • Does the client show in verbose mode that it is requesting agent forwarding? ssh -vvv -A myserver.foo.local true 2>&1 | grep agent Commented Nov 7, 2010 at 7:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.