Forwarding your ssh-agent¶

Overview:

Teaching: 20 min
Exercises: 0 min

Questions

How can I use keys to connect or transfer data between remote services?

Objectives

Know that you can make your local ssh-agent available on your remotes by specificyin ForwardAgent yes in your ssh config

Remote key pairs

You should never store the private key on a shared resource. On some HPC services you may see that a key pair has been created automatically in you remote .ssh folder. This is used by some schedulers to manage communication and should only be used by the system for internal communcations e.g. you logging onto nodes running jobs or interactive sessions and parallel communcations within jobs.

These keys are not protected by passphrases and should never be used for onward connections from the remote service.

Agent Forwarding¶

We are now able to connect securely and conveniently to remote systems. But what happens if we want to move data between remote systems. We can use agent forwarding to enable the use of keys stored in our local agent on the remote systems. This allows us use our private keys for onward connections without having to store a copy of the private key on the shared system.

First we must modify our ~/.ssh/config to turn on agent forwarding for each host where we want to enable it. e.g. we would do include this for a remote service that where we wanted to push to another sytem or e.g. github, but would not use include it for github:

Host <hpc-service>
  IdentityFile id_ed25519_service
  User userid_service
  ForwardAgent yes

Now we need add the key for to our agent:

ssh-add -t 3600 id_ed25519_service
Enter passphrase for home/user/.ssh/id_ed25519_service: [Passphrase]
Identity added: home/user/.ssh/id_ed25519_service (home/user/.ssh/id_ed25519_service)
Lifetime set to 3600 seconds

and the key for the onward service we wish to connect to:

ssh-add -t 3600 id_ed25519_github
Enter passphrase for home/user/.ssh/id_ed25519_github: [Passphrase]
Identity added: home/user/.ssh/id_ed25519_github (home/user/.ssh/id_ed25519_github)
Lifetime set to 3600 seconds

Now we can connect to the service and use our github key on the remote machine. Note that both keys will be forwarded by the agent.

Set-up and verify agent forwarding works

Linux:¶

Follow the instructions to set up a config file to enable agent forwarding.

Windows:¶

Enable agent forwarding in putty by modifying your connection in putty -> Connection -> SSH -> Auth Allow agent forwarding

Both¶

Add your github key to the agent.
Create a new repository:
- log-in to local github
- Add your github ssh key
- Create a new repository
Following instructions at arc-lessons create a repository on linux and verify that you can push to it using the ssh-key in the forwarding agent.

Key Points:

By using ForwardAgent we can make our keys available on remote services that we trust to enable onward connections or data transfer betwwen remote systems