1

On my client I have an SSH agent setup and the following example config

Host gitserver Hostname gitserver.example.com ForwardAgent yes User git IdentityFile C:\Users\user\.ssh\id_rsa.pub IdentitiesOnly yes

On the first hop server that I wish to forward my agent through, how do I properly utilize forwarding without brute force checking all the identities that my SSH agent has without getting a too many authentication failures error?
I can get it to work if I limit the SSH agent to contain 5 or less keys as that's within the allowable amount of authentication attempts. If I try to use the gitserver Host alias on the server, it doesn't know that it means what it does on the clients SSH config.
Do I need to have a proper SSH config setup on the server for this host?
There must be a more portable option than having to configure every server I wish to use agent forwarding with.

I don't think this is a Windows specific problem as I the IdentitiesOnly yes works perfectly fine with larger key stores in the SSH agent. It seems to be an issue with forwarding the correct information to the first hop server. I hope my question is clear enough to comprehend my problem.

Improve this question
2
  • Why do you have more than one identity file in the agent? If you change the order of the keys, and add the identity that you need first on top, do you still have the issue? Commented Sep 18, 2023 at 1:14
  • 1
    Because I can? Is this really an unusual use case? I don't have this problem when connecting directly to a server with multiple identity files for hosts in the agent when directly connecting to the end server, only when forwarding the agent through an intermediate server. I want to know if it's possible to make this easy when I am using forwarding. Commented Sep 18, 2023 at 1:27

2 Answers 2

Reset to default
0

Firstly, I apologize if it sounds as if I am making assumptions, as it is not my intention to insult anyone's intellegence.

I'm also not completely positive that I fully understand your issue, but since there are no other answers, as of yet, I thought I'd give it a go.

Unfortunately, without having more information, regarding your Nwtwork & DNS configuration, it's difficult to determine exactly where the problem lies.

Therefore, I'm simply going to list off, some suggestions and resources, for you to utilize, if they are relevant, of course.

Firstly, if the Machines in question, are not currently on a Domain, I would consider replacing the FQDN in the "Hostname" Setting with the Machine's IP Address (like the example, below).

Host Hostname Hostname 192.168.0.250 ForwardAgent yes User username IdentityFile C:\Users\username\.ssh\id_rsa

You may also want to run the "ssh-add -L" Command, to confirm that your SSH Agent is Running and is holding your Key(s).

Additional Info/Details, regarding the aforementioned Command, can be obtained by following the Link below.

https://superuser.com/a/1141035

As for running OpenSSH Agent Forwarding, in Windows, you may want to review the following articles, as their are some important steps, that are specific to Windows 10/11.

https://richardballard.co.uk/ssh-keys-on-windows-10/

http://blog.zencoffee.org/2022/11/openssh-on-windows-11/

Lastly, it should be noted that SSH Agent Forwarding wasn't really supported on Windows 10, until relatively recently.

That being said, you may want to verify that your Windows and OpenSSH Versions are compatible, in regard to the SSH Agent Forwarding Function.

I hope that this is, at least, somewhat helpful.

Improve this answer
2
  • 1
    Agent forwarding works, but I don't know how to make the end server request the proper identity to authenticate against without trying every single agent identity before the end server errors out from too many attempts. Commented Sep 18, 2023 at 2:40
  • Ok, makes sense. I think you're on the right path, in regard to the "IdentitiesOnly=Yes" Option. superuser.com/questions/268776/… Commented Sep 18, 2023 at 3:12
0

To answer your question, however, if you read through the Pros & Cons, it seems to suggest that Automation may not be possible.

Cons of SSH Agent Forwarding:

  • Users must SSH in to deploy; automated deploy processes can't be used.
  • SSH agent forwarding can be troublesome to run for Windows users.

https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys.

Improve this answer
1
  • My use case doesn't require automation where private key storage on an automation server is required, but thanks for pointing that out. Commented Sep 18, 2023 at 2:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.