Minimal Footprint SSH Agent Forwarding on OS X

Those who know me know that I’m a minimalist. I don’t like more than is needed to get the job done. I don’t like “tools” and applications that slow me down. For example, I read my email in mutt, a text-based email client, because 99% of my email is text. My hands stay on the keyboard because a mouse is not needed. Coincidentally, that’s also where my hands need to be to type an email. Is this beginning to make sense?

In this light, I run the SSH authentication agent known as, uhhh.., ssh-agent. The one that comes with SSH. No frills, nothing extra to download. I’m going to show you a copy & paste setup of ssh-agent that will make forwarding of your authentication details worry free and bloat free.

Let me first give a brief intro to SSH agent forwarding and then dive into the details.

When you SSH to a server from your laptop, and you authenticate via your key, life is good… until you want to SSH to another server, from the first server. Your private key doesn’t exist on the first server (as it definitely should not), so you can’t use it to authenticate. To solve this problem, you want the key on your laptop to “follow” you around from box to box. This is done with SSH agent forwarding.

This feature of SSH is disabled by default, there is a security risk; the man page tells us:

1
2
3
4
5
6
7
Agent forwarding should be enabled with caution.  Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection.  An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.

Bah, I don’t really care.

Turning on SSH agent forwarding is two simple steps. First, put the following in your ~/.bash_profile:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SSH_ENV=$HOME/.ssh/environment

function start_agent {
     echo "Initializing new SSH agent..."
     /usr/bin/ssh-agent | sed 's/^echo/#echo/' > ${SSH_ENV}
     echo succeeded
     chmod 600 ${SSH_ENV}
     . ${SSH_ENV} > /dev/null
     /usr/bin/ssh-add;
}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then
     . ${SSH_ENV} > /dev/null
     ps -x | grep "^ *${SSH_AGENT_PID}" | grep ssh-agent$ > /dev/null || {
         start_agent;
     }
else
     start_agent;
fi

Next, add this to your ~/.ssh/config:

1
ForwardAgent yes

That’s it, just copy & paste.

I am, however, assuming you are running bash as your shell (the default on OS X). To my zsh friends, someone will have to translate. Also note, this isn’t limited to OS X, I do believe the bash code is generic enough to put on any Linux, FreeBSD, etc… box. You might have to change the args to “ps” is all.

The first time you open up your terminal you will see ssh-agent starting and loading up your key(s). If you have set a passphrase on your key (you better!), you will be prompted for it once, and ssh-agent will remember it, until you kill it or turn off your laptop. Additionally, it’ll forward your credentials as you hop from server to server, so you may authenticate w/o having your private key on each server. Once again, this behavior will persist unless you explicitly kill ssh-agent, so it’s maintenance free.

Life is good.

Comments