Troubleshooting SSH Agent Forwarding

Tools: ssh-add -l Verify your current identity
ssh-add Load keys from ~/.ssh into the authentication agent

The GitHub set up guide has a good introduction to ssh keys, if all goes well it looks like this:

    doug@local:~$ ssh -T
    Hi Douglas! You've successfully authenticated, but GitHub does not provide shell access.

Since my ssh keys are on my local machine, connecting to GitHub is seamless. While setting up a remote server to demo a side project, I wanted to check out some code from GitHub, and here’s what happened:

    doug@local:~$ ssh doug@remote
    doug@remote:~$ ssh -T
    Permission denied (publickey).

To connect to GitHub I need to use my private key, but I don’t want to copy my key to the remote server. SSH Agent Forwarding to the rescue.

SSH Agent: Could not open a connection

The first problem was that I couldn’t access my local ssh agent from the remote server. Here’s what the error looks like:

    doug@remote:~$ ssh-add -l
    Could not open a connection to your authentication agent.

Agent forwarding needs to be enabled locally and on the remote server. On my local machine, I added this to my ~/.ssh/config:

    Host remote
    ForwardAgent yes

The Host section header accepts a wildcard, but make sure to only enable it for hosts you trust to act as if they have your private key. On the server, AllowAgentForwarding yes should appear in sshd_config, but this is the default on Ubuntu so I didn’t have to make a change.

SSH Agent: The agent has no identities

Once the remote machine could connect to the agent, I was surprised to find that it didn’t know my identity, even though I was already connected to the remote machine!

    doug@remote:~$ ssh-add -l
    The agent has no identities.

This produced the same output on my local machine, so it looks like the ssh connection was using the private key directly, skipping the agent. I ran ssh-add to add the local keys in ~/.ssh to the agent:

    doug@local:~$ ssh-add
    Identity added: /Users/doug/.ssh/id_dsa (/Users/doug/.ssh/id_dsa)
    doug@local:~$ ssh-add -l
    1024 b6:dd:b7:1f:bc:25:31:d3:12:f4:92:1c:0b:93:5f:4b /Users/doug/.ssh/id_dsa (DSA)

This isn’t something I would want to have to run after every restart, so here is how to make it happen automatically on OS X and Windows.

Digging Deeper

The ssh -v verbose flag produces lots of interesting output on authentication negotiation. Here’s the line which shows that GitHub requires publickey authentication:

    doug@remote:~$ ssh -vT
    debug1: Authentications that can continue: publickey
    Permission denied (publickey).