85

I manually deploy websites through SSH, I manage source code in github/bitbucket. For every new site I'm currently generating a new keypair on the server and adding it to github/bitbucket, so that I can pull changes from server.

I came across a feature in capistrano to use local machine's key pair for pulling updates to server, which is ssh_options[:forward_agent] = true

How can I do something like this and forward my local machine's keypair to the server I'm SSH-ing into, so that I can avoid adding keys into github/bitbucket for every new site.

Improve this question

5 Answers 5

Reset to default
104

This turned out to be very simple, complete guide is here Using SSH Forwarding

In essence, you need to create a ~/.ssh/config file, if it doesn't exist.

Then, add the hosts (either domain name or IP address in the file and set ForwardAgent yes)

Sample Code:

Host example.com
    ForwardAgent yes

Makes SSH life a lot easier.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Great article linked in the answer; to summarize for OSX users you may need to sudo vim /etc/ssh_config and remove the ForwardAgent no host wildcard disable and then ssh-add ~/.ssh/your_key to allow the local agent to forward that identity.
Adding echo 'Host example.com\n ForwardAgent yes' >> ~/.ssh/config will not work if you connect to ssh using public ip ssh node-1.example.com then try to hop with ssh ${user}@$(hostname -s) using agent forward. It will ask for your password.
on my OSX El Capitan I did not need to mess around with /etc/ssh_config at all, but I did need to run ssh-add before the forwarding would work for me.
As noted in the linked article, it's not a good idea to enable ForwardAgent in the Host * section. Quote: Warning: You may be tempted to use a wildcard like Host * to just apply this setting to all SSH connections. That's not really a good idea, as you'd be sharing your local SSH keys with every server you SSH into. They won't have direct access to the keys, but they will be able to use them as you while the connection is established. You should only add servers you trust and that you intend to use with agent forwarding.
64
  1. Create ~/.ssh/config

  2. Fill it with (host address is the address of the host you want to allow creds to be forwarded to):

    Host [host address]
     ForwardAgent yes

  3. If you haven't already run ssh-agent, run it:

    ssh-agent

  4. Take the output from that command and paste it into the terminal. This will set the environment variables that need to be set for agent forwarding to work. Optionally, you can replace this and step 3 with:

    eval "$(ssh-agent)"

  5. Add the key you want forwarded to the ssh agent:

    ssh-add [path to key if there is one]/[key_name].pem

  6. Log into the remote host:

    ssh -A [user]@[hostname]

  7. From here, if you log into another host that accepts that key, it will just work:

    ssh [user]@[hostname]
Improve this answer

1 Comment

Also simply ssh -o ForwardAgent=yes [email protected] for a one-off.
15

To use it simply with the default identity (id_rsa) you can use the following couple of command:

ssh-add
ssh -A [username]@[server-address]
Improve this answer

1 Comment

This is exacly that I need! ssh-add is the answer. thanks
1

The configuration file is very helpful but the trick for agent forwarding does the ssh-add command. It seems that this have to be initial triggered before any remote connections or after restart of the computer. To permanently add the key try the following solution from the user daminetreg: Add private key permanently with ssh-add on Ubuntu

Improve this answer

Comments

-2

It is very useful :

ssh -i [private-key] -A [user]@[host]

You can set one command in bash_aliases or other command routines.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.