ui_pageant » Revisions »
Differences
This shows you the differences between the selected revisions of the page.
2014-03-03 | 2014-07-25 | ||
key size should be 2048 bit at least nowadays (martin) | no summary (120.59.52.28) (hidden) | ||
Line 90: | Line 90: | ||
</code> | </code> | ||
- | ===== Using Agent Forwarding ===== | ||
- | Agent forwarding is a mechanism that allows applications on your SSH server machine to talk to the agent on your client machine. | ||
- | Note that at present, agent forwarding in SSH-2 is only available when your SSH server is OpenSSH. The ssh.com server uses a different agent protocol, which WinSCP does not yet support. | ||
- | |||
- | To enable agent forwarding, first start Pageant. Then set up a WinSCP SSH session in which //[[ui_login_authentication|Allow agent forwarding]]// is enabled. Open the session as normal. | ||
- | |||
- | If this has worked, your applications on the server should now have access to a Unix domain socket which the SSH server will forward back to WinSCP, and WinSCP will forward on to the agent. To check that this has actually happened, you can try this command on Unix server machines: | ||
- | |||
- | <code> | ||
- | unixbox:~$ echo $SSH_AUTH_SOCK | ||
- | /tmp/ssh-XXNP18Jz/agent.28794 | ||
- | unixbox:~$ | ||
- | </code> | ||
- | |||
- | If the result line comes up blank, agent forwarding has not been enabled at all. | ||
- | |||
- | Now if you run ssh on the server and use it to connect through to another server that accepts one of the keys in Pageant, you should be able to log in without a password: | ||
- | |||
- | <code> | ||
- | unixbox:~$ ssh -v otherunixbox | ||
- | [...] | ||
- | debug: next auth method to try is publickey | ||
- | debug: userauth_pubkey_agent: trying agent key my-putty-key | ||
- | debug: ssh-userauth2 successful: method publickey | ||
- | [...] | ||
- | </code> | ||
- | |||
- | If you enable agent forwarding on that SSH connection as well (see the manual for your server-side SSH client to find out how to do this), your authentication keys will still be available on the next machine you connect to - two SSH connections away from where they're actually stored. | ||
- | |||
- | In addition, if you have a private key on one of the SSH servers, you can send it all the way back to Pageant using the local ''ssh-add'' command: | ||
- | |||
- | <code> | ||
- | unixbox:~$ ssh-add ~/.ssh/id_rsa | ||
- | Need passphrase for /home/fred/.ssh/id_rsa | ||
- | Enter passphrase for /home/fred/.ssh/id_rsa: | ||
- | Identity added: /home/fred/.ssh/id_rsa (/home/simon/.ssh/id_rsa) | ||
- | unixbox:~$ | ||
- | </code> | ||
- | |||
- | and then it's available to every machine that has agent forwarding available (not just the ones downstream of the place you added it). | ||
===== Security Considerations ===== | ===== Security Considerations ===== |