debugbashModeratepending
Debug: SSH agent forwarding not working
Viewed 0 times
ssh-agentforwardingForwardAgentSSH_AUTH_SOCKbastion
Error Messages
Problem
SSH agent forwarding is configured but git/ssh operations on the remote server fail with permission denied. Keys from local machine are not available on remote.
Solution
Diagnose and fix SSH agent forwarding:
ssh-add -l # List loaded keys
# If empty: ssh-add ~/.ssh/id_ed25519
# ~/.ssh/config
Host myserver
HostName server.example.com
ForwardAgent yes
# Or command line:
ssh -A user@server
ssh -T git@github.com # Should show your GitHub username
echo $SSH_AUTH_SOCK # Should be set
ssh-add -l # Should show your keys
a) SSH_AUTH_SOCK not set on remote:
# Server sshd_config must allow agent forwarding:
AllowAgentForwarding yes
b) Jumping through bastion:
# Need forwarding on EACH hop:
Host bastion
ForwardAgent yes
Host internal
ProxyJump bastion
ForwardAgent yes
c) Screen/tmux loses agent:
# Agent socket changes on reconnect
# Fix: symlink to fixed path
# In .bashrc:
if [ -n "$SSH_AUTH_SOCK" ] && [ "$SSH_AUTH_SOCK" != "$HOME/.ssh/agent_sock" ]; then
ln -sf "$SSH_AUTH_SOCK" "$HOME/.ssh/agent_sock"
export SSH_AUTH_SOCK="$HOME/.ssh/agent_sock"
fi
d) Security: Only forward to trusted servers!
# A compromised server can use your forwarded agent
- Check local agent has keys:
ssh-add -l # List loaded keys
# If empty: ssh-add ~/.ssh/id_ed25519
- Enable forwarding in SSH config:
# ~/.ssh/config
Host myserver
HostName server.example.com
ForwardAgent yes
# Or command line:
ssh -A user@server
- Verify on remote server:
ssh -T git@github.com # Should show your GitHub username
echo $SSH_AUTH_SOCK # Should be set
ssh-add -l # Should show your keys
- Common issues:
a) SSH_AUTH_SOCK not set on remote:
# Server sshd_config must allow agent forwarding:
AllowAgentForwarding yes
b) Jumping through bastion:
# Need forwarding on EACH hop:
Host bastion
ForwardAgent yes
Host internal
ProxyJump bastion
ForwardAgent yes
c) Screen/tmux loses agent:
# Agent socket changes on reconnect
# Fix: symlink to fixed path
# In .bashrc:
if [ -n "$SSH_AUTH_SOCK" ] && [ "$SSH_AUTH_SOCK" != "$HOME/.ssh/agent_sock" ]; then
ln -sf "$SSH_AUTH_SOCK" "$HOME/.ssh/agent_sock"
export SSH_AUTH_SOCK="$HOME/.ssh/agent_sock"
fi
d) Security: Only forward to trusted servers!
# A compromised server can use your forwarded agent
Revisions (0)
No revisions yet.