SSH Host Hopping
Technical Background
In many infrastructures, some systems are located in restricted networks and can only be accessed through an intermediate “jump host”. Copying private SSH keys onto each host is considered insecure because it increases the risk of key compromise. A safer approach is SSH agent forwarding, which allows you to reuse your local SSH credentials when hopping through one or more intermediate hosts, without ever transferring your private key.
Solution
SSH Configuration for Agent Forwarding
-
On your local workstation, enable agent forwarding for the intermediate host (Host A).
Edit
~/.ssh/config:```text Host hostA HostName
User root ForwardAgent yes Host hostB HostName
User root ``` Info
This ensures your SSH agent is forwarded when connecting to Host A.
-
Before connecting, start the SSH agent and load your private key:
bash eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_ed25519Note
You only enter the passphrase once.
Using Host Hopping
-
Connect to Host A
From your local machine:
bash ssh hostAInfo
You are now inside Host A while your local SSH agent is available to it.
-
Connecting from Host A to Host B
From within Host A:
bash ssh hostBInfo
This works even though Host B doesn’t have your private key, because the authentication is forwarded from your local workstation.
-
Closing all connections:
Exit Host B and then Host A:
bash exit exit -
Direct Login to Host B
Try to connect directly from your workstation to Host B:
bash ssh hostBWarning
This fails with:
Permission denied (publickey).Host B only allows access through Host A. -
Reverse Hop from B to A:
If you log in to Host B (through Host A) and attempt to connect back to Host A:
bash hostAFail
You will again see:
bash Permission denied (publickey).Info
This demonstrates that agent forwarding is one-directional. It allows the initial remote host to use your local agent, but doesn’t cascade to subsequent reverse connections.
Related Links
SSH
SSH jump host
SSH Agent Forwarding Guide
OpenSSH Manual: ForwardAgent