SSH Agent Forwarding & Key Caching
Advancedv1.0.0
Configure SSH agent for passphrase caching and secure agent forwarding — ssh-agent setup, keychain integration, forwarding to remote hosts, and security considerations.
Content
Overview
The SSH agent caches your decrypted private keys in memory so you only type your passphrase once per session. Agent forwarding extends this to remote servers, letting you authenticate from a remote machine using your local keys without copying private keys to the server.
Why This Matters
- -Type passphrase once — agent caches decrypted keys in memory
- -No private keys on servers — forward local agent instead
- -Seamless multi-hop — authenticate through chains of servers
- -Git from remote — push/pull on servers using local GitHub keys
How It Works
Step 1: Start SSH Agent
Step 2: Configure AddKeysToAgent
Step 3: Enable Agent Forwarding (Selective)
Step 4: Verify Agent Forwarding
Using Keychain for Persistent Agent
Security Considerations
Best Practices
- -AddKeysToAgent yes — auto-cache on first use
- -ForwardAgent only to trusted hosts — never wildcard
- -Prefer ProxyJump over ForwardAgent — more secure
- -Use keychain on Linux for persistent agent across sessions
- -Use macOS Keychain for seamless passphrase storage
- -Verify with ssh-add -l after forwarding
Common Mistakes
- -ForwardAgent yes in Host * (security risk on every host)
- -Not starting ssh-agent (keys not cached)
- -Forwarding to untrusted/shared servers
- -Using agent forwarding when ProxyJump would work
- -Forgetting AddKeysToAgent (typing passphrase every time)
FAQ
Discussion
Loading comments...