All HowTo's Cybersecurity

SSH Agent Forwarding & Sudo Simplified

This tutorial demonstrates what “SSH Agent Forwarding” is and how it works. We go further to ensure you can ‘sudo’ on the target system. This is the scenario:

“You have one or more Web servers that you look after. For security reasons, these Web servers accept SSH connections only from a single Deployment server. You want to SSH (with a key pair) from your workstation to the Deployment server, and from there to any of the Web servers. You don’t want to put your private key on the Deployment server.”

Assumptions: You have a public key already on each Web server. You also have your public key on the Deployment server. Your workstation has your private key and you can SSH from your workstation to each Web server if firewalls permit.

On your workstation you can issue the following command to get to the Deployment server:

ssh -A [email protected]

Note the “-A” option. This ensures your private key can be passed through from your workstation to the Deployment server. Now you can do the following:

ssh [email protected]

At this point everything is working. But you might want to change to ‘root’ using ‘sudo -u’ or to another specific user like this ‘sudo -u user2’.

To use sudo on the Web server, you need to ensure the Deployment server and the Web servers allows ‘sudo’ for your user ‘myuser’. Enable the following setting on the Deployment server:

AllowAgentForwarding yes

And restart sshd on the Deployment server like this:

service sshd restart

Now you can start SSH’ing from scratch from your workstation.