SSH Agent Forwarding in Windows

SSH Agent Forwarding in Windows

I need to tunnel SSH through one intermediate host B to the final host C. From host A, over B to C (A-B-C) where host A can’t directly access host C, but A-B and B-C can. For this, the best way is to use SSH public-key authentication, but it can be achieved also with password.

When using passwords, typing:

ssh -t savioko ssh -t root@apach-1

and passwords after that, will do the job.

Multi-hop SSH without passwords

As a mandatory we have to make a ssh-agent work on local machine. As noted elsewhere, it can be done by copy-pasting:

set SSH_AUTH_SOCK=%TEMP%\ssh-agent.socket
FOR /F "tokens=1 delims=;" %r IN ('ssh-agent -a %SSH_AUTH_SOCK% ') DO @(SET %r >NUL 2>&1)

Then, we must ad a keys to the agent:

ssh-add ~/.ssh/id_rsa

And we must execute the same command as before, only this time adding a switch -A for the intermediate host. This switch tells that host to enable agent forwarding.

ssh -t -A savioko ssh root@apach-1

For agent forwarding through SSH tunnel to work, really nothing special must be done on final and intermediate server.


For debugging purposes, when executing SSH, add -vvv to any SSH command. This will display very detailed process information.

No need for nothing more

About settings that are really not important.

  • AllowAgentForwarding yes in sshd_config as server configuration, is by default turned on, so it doesn’t matter - don’t bother with this unless it’s not disabled on purpose somewhere.

  • ForwardAgent yes in ssh_config or in ~/.ssh/config as client settings - it is not important because using SSH switch -A when connecting produces exactly the same effect.

In two simple steps

Important things:

  1. Local ssh-agent must be running and your key must be loaded in it
  2. Execute: ssh -t -A user@HostMiddleman ssh user@HostDestination


Extra configuration required for ssh-agent forwarding? - Super User An Illustrated Guide to SSH Agent Forwarding Using ssh agent forwarding

Bazinga: more elegant way - fully automatic!

Holy schmoly! Bazinga! For this solution you don’t even need an active ssh-agent. Simply beautifull!

Just configure client to do a hop. Use a ProxyCommand directive for that:

set F="%HOMEDRIVE%%HOMEPATH%\.ssh\config"

echo. >> %F%
echo Host apach-1.savioko >> %F%
echo     HostName apach-1 >> %F%
echo     User root >> %F%
echo     Port 22 >> %F%
echo     IdentityFile "~/.ssh/id_rsa" >> %F%
echo     IdentitiesOnly yes >> %F%
echo     ProxyCommand ssh savioko nc %h %p >> %F%

This is it. Check that you can login with keys, and disable password login after that.

ssh apach-1.savioko

In the future, if you have the latest version of OpenSSH, you could use very similar -W switch and avoid using Netcat nc.

ProxyCommand ssh savioko -W %h:%p

Sources: Multihop SSH tunneling

Local port forwarding

This is usualy needed to trick GUI tools about connecting to remote. In my case, I’m using it for SSHFS client WebDrive.

ssh savioko -L 9999:apach-1:22 -N

This -N is not to execute a remote command - exactly useful for just forwarding port. You can change option to -fN combination to tell SSH to connect, establish tunnels and continue running in background.

Now I can login to apach-1 server with:

ssh root@localhost -p 9999 -o "HostkeyAlias=apach-1"

This trick with passing option HostkeyAlias is avoiding fatal warning WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!. Very good idea.

Chaining ssh tcp port forwarding SSH/OpenSSH/PortForwarding - Community Ubuntu Documentation

Quick local SOCKS Proxy with an SSH Tunnel

SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing

You can use the -D flag of OpenSSH to create a SOCKS proxy.

ssh -D 8080 savioko

In browser, set SOCKS5 at localhost:8080, and it will instantly work.

Something similar years later: Super Simple VPN with SSH Tunneling

date 22. May 2013 | modified 29. Dec 2023
filename: SSH Agent Forwarding in Windows