[tlug] ssh-agent not being magical enough [Josh: C&C for toshiyori]

["Stephen J. Turnbull" <stephen@example.com>]

Darren Cook writes:

 > But, now I want to do that deliberately on a remote server and it won't
 > work! What I want is:
 >   $ ssh first
 >   [first]$ scp abc second:~
 >    --> prompt for the key passphrase [2]
 >   [first]$ scp abc second:~
 >    --> used saved passphrase

Are you sure that's what you want?

The usual configuration is like this (see also Christian's very
similar post, but I didn't fully understand it so I'm writing in my
own style here):

localhost:
    ssh-agent (background)
        This is your active ssh-agent.  It actually knows your keys.
    ssh
        You know what this is for.
        You need to enable "AgentForwarding" either in .ssh/config or
        from the command line with "-A".

first:
    ssh-agent (background)
        I'm not sure you actually need it, but you may.  It doesn't
        need to know about identities.  If it has any role, it is
        forwarding authentication traffic between ssh-agent on
        localhost (which knows the keys) and the sshd on second.
    sshd
        Must have agent-forwarding option enabled (see
        no-agent-forwarding in the sshd man page).  Dunno if you can
        do this.  agent-forwarding is considered a security risk (see
        ssh man page near the top).
    ssh
        Just do it.  Caveat, if you ever ssh from second, you may want
        AgentForwarding enabled here.

second:
    sshd
        Must be running, of course.  If you want to use agent
        forwarding from here, configure like "first".
    ssh-agent, ssh
        If you ssh from "second", see configuration for "first".


The only reason I can think of to *not* use this configuration is if
you share an SSH key with a user actually based on "first" (who's on
first, anyway??), but sharing keys is also normally frowned on.