The workings of SSH agent forwarding

In this type of setup, there is no need to store any private keys in the bastion host. When you login with SSH agent forwarding enabled to the bastion host, and from bastion host you try to connect to an instance in private subnet, the SSH agent will take care of authentication to the remote server with the private key stored on your laptop.

The SSH agent is a local program that keeps track of your private keys and associated passphrases, and it is the SSH agent that logs the user into the servers without having to keep typing passphrases again and again, especially if you have password protected private keys.

Agent forwarding is a way in which the SSH client allows the SSH server to utilize the local SSH agent for authentication. This local SSH agent has access to user's private keys and passwords.

Let's understand this through a step-by-step overview approach:

1. Let's assume that the workstation has an Established connection with Bastion Host and wants to log in to Remote Server:

1. In this step, the user from the workstation has made a request to the Remote Server to allow it to login via SSH:

1. In order to login, the remote server sends a Challenge encrypted by the public key which can only be decrypted by the private key associated:

1. Since we are using SSH Agent forwarding, the Challenge received by the Bastion Host will be forwarded back to the Workstation, where the private key is stored to compute the challenge response:

1. The private key is used to decrypt the challenge sent by the remote server and a new challenge response is computed. The Challenge Response is generally computed as follows:

Challenge (plain text after decrypt) + SSH Session ID = Hashed

The hash is then encrypted by the private key and Challenge Response is formed. This is sent to Bastion Host from where it will be forwarded to the Remote Server:

1. The remote server will decrypt the challenge response with the public key and if the response is correct, the connection will be Established:

In this process, we see that the private keys are never stored in the bastion hosts; instead, the challenge request and response is forwarded to and fro, which is the responsibility of SSH agent forwarding.