SSH Agent Forwarding in Windows
I need to tunnel SSH through one intermediate host B to the final host C. From host A, over B to C (A-B-C) where host A can’t directly access host C, but A-B and B-C can. For this, the best way is to use SSH public-key authentication, but it can be achieved also with password.
When using passwords, typing:
ssh -t savioko ssh -t root@apach-1
and passwords after that, will do the job.
Multi-hop SSH without passwords
As a mandatory we have to make a ssh-agent work on local machine. As noted elsewhere, it can be done by copy-pasting:
set SSH_AUTH_SOCK=%TEMP%\ssh-agent.socket
rm -f %SSH_AUTH_SOCK%
FOR /F "tokens=1 delims=;" %r IN ('ssh-agent -a %SSH_AUTH_SOCK% ') DO @(SET %r >NUL 2>&1)
setx SSH_AUTH_SOCK %SSH_AUTH_SOCK%
Then, we must ad a keys to the agent:
ssh-add ~/.ssh/id_rsa
And we must execute the same command as before, only this time adding a
switch -A for the intermediate host. This switch tells that host to
enable agent forwarding.
ssh -t -A savioko ssh root@apach-1
For agent forwarding through SSH tunnel to work, really nothing special must be done on final and intermediate server.
Tips
For debugging purposes, when executing SSH, add -vvv to any SSH
command. This will display very detailed process information.
No need for nothing more
About settings that are really not important.
-
AllowAgentForwarding yesinsshd_configas server configuration, is by default turned on, so it doesn’t matter - don’t bother with this unless it’s not disabled on purpose somewhere. -
ForwardAgent yesinssh_configor in~/.ssh/configas client settings - it is not important because using SSH switch-Awhen connecting produces exactly the same effect.
In two simple steps
Important things:
- Local ssh-agent must be running and your key must be loaded in it
- Execute:
ssh -t -A user@HostMiddleman ssh user@HostDestination
Sources
Extra configuration required for ssh-agent forwarding? - Super User An Illustrated Guide to SSH Agent Forwarding Using ssh agent forwarding
Bazinga: more elegant way - fully automatic!
Holy schmoly! Bazinga! For this solution you don’t even need an active ssh-agent. Simply beautifull!
Just configure client to do a hop. Use a ProxyCommand directive for
that:
set F="%HOMEDRIVE%%HOMEPATH%\.ssh\config"
echo. >> %F%
echo Host apach-1.savioko >> %F%
echo HostName apach-1 >> %F%
echo User root >> %F%
echo Port 22 >> %F%
echo IdentityFile "~/.ssh/id_rsa" >> %F%
echo IdentitiesOnly yes >> %F%
echo ProxyCommand ssh savioko nc %h %p >> %F%
This is it. Check that you can login with keys, and disable password login after that.
ssh apach-1.savioko
In the future, if you have the latest version of OpenSSH, you could use
very similar -W switch and avoid using Netcat nc.
ProxyCommand ssh savioko -W %h:%p
Sources: Multihop SSH tunneling
Local port forwarding
This is usualy needed to trick GUI tools about connecting to remote. In my case, I’m using it for SSHFS client WebDrive.
ssh savioko -L 9999:apach-1:22 -N
This -N is not to execute a remote command - exactly useful for just
forwarding port. You can change option to -fN combination to tell SSH
to connect, establish tunnels and continue running in background.
Now I can login to apach-1 server with:
ssh root@localhost -p 9999 -o "HostkeyAlias=apach-1"
This trick with passing option HostkeyAlias is avoiding fatal warning
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!. Very good idea.
Chaining ssh tcp port forwarding SSH/OpenSSH/PortForwarding - Community Ubuntu Documentation
Quick local SOCKS Proxy with an SSH Tunnel
SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing
You can use the -D flag of OpenSSH to create a SOCKS proxy.
ssh -D 8080 savioko
In browser, set SOCKS5 at localhost:8080, and it will instantly work.
Something similar years later: Super Simple VPN with SSH Tunneling