SSH Agent Forwarding in AWS

By | February 13, 2021

Common scenario: You’ve got a bastion host within your AWS VPC with a public IP address. You SSH into this box and then want to do something on a different server on a private subnet within the VPC:

If you NOW do a regular SSH tunnel from the bastion host to the internal server using the regular SSH command, this will fail as the key isn’t local to the bastion host. What you *never never never* want to do is put your private keys onto the bastion host to SSH into the internal server. This is a terrible security issue! If the bastion host becomes compromised, then all of the systems internally that use that key are ALSO compromised automatically. This is one of THE most likely systems to be targeted because of its potential attack surface:

Instead you’ll want to use SSH agent forwarding to move about internally. In this article I’ll show you how to use the SSH agent on your local laptop/pc to do this. Note that I’m using windows subsystem for Linux (WSL 2):

  1. Confirm that ssh-agent is running:
eval 'ssh-agent'

2. Add the private key to the ssh agent:

ssh-add ./<path to key>

3. To the normal SSH connect string that you get from your EC2 instance, add “-A” after ssh:

ssh -A -i "<pem key>" ec2-user@<AWS FQDN>

4. Now you are on the Bastion Host in SSH Agent mode. This means you can now SSH to private servers (in this case 10.16.109.153) without the -i or pem key command line arguments:

ssh ec2-user@<IP address>

5. And now you’re on the private EC2 instance:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.