Wednesday, June 15, 2011

ssh-agent and agent forwarding on Windows machines

Ubuntu and MacOS machines have things setup already for ssh-agent forwarding. For Ubuntu, whenever you open a terminal, the script in /etc/X11/Xsession.d/90x11-common_ssh-agent starts things up, meaning that all of you have to do is enable AgentForwarding in the /etc/sshd/ssh_config or your personal ~/.ssh/ssh_config to get things to work:
To get SSH agent forwarding to work, you therefore must have ssh-agent running before you connect to a server (you can type set | grep SSH_AUTH_SOCK to verify). To verify that the server to which you connect also has agent forwarding, do another set | grep SSH_AUTH_SOCK. Sometimes it can get confusing depending on your server configuration (i.e. if some of your boxes are only setup to accept public/private key exchanges instead of passwords).

On Windows 7/XP machines, it's a bit more complicated. If you're using Cygwin/OpenSSH, you can store your private/public key inside your /home/<username>/.ssh and add the following section
(taken from to run ssh-agent, direct the output to a /.ssh/environment file, and then setting the environment variables so that subsequent SSH calls will use the SSH_AUTH_SOCK environment (SSH_AGENT_PID can be used for killing the PID of the process as shown in the code below.

function start_agent {
     echo “Initialising new SSH agent…”
     ${SSHAGENT} | sed ‘s/^echo/#echo/’ > “${SSH_ENV}”
     echo succeeded
     chmod 600 “${SSH_ENV}”
     . “${SSH_ENV}” > /dev/null

# Source SSH settings, if applicable

if [ -f “${SSH_ENV}” ]; then
     . “${SSH_ENV}” > /dev/null
     ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {

One thing I did have to do is to add a "ssh-add" at the last line of the start_agent code, which will cause the program to look inside the /home/username/.ssh/id_rsa for the private key. If you have the file stored in a different place, you can provide the full pathname with ssh-add. The "ssh-add -l" command will also verify which keys have been added. You should see the MD5 checksum of the private/public key that was added.

Also, SecureCRT apparently has a more tightly bound use of ssh-agent by relying on protected shared memory to implement its key agent, so you should be able to provide your SSH private key, enable the "Add Keys to Agent" and "Enable Agent Forwarding" options and things should work without this extra nuisance of invoking ssh-agent on bash startup.

SecureCRT integrates its key agent much more tightly than most other SSH clients, using a bit of protected system memory shared by all instances of SecureCRT, the Activator in the system tray, and the command-line clients. Once a passphrase has been unlocked by one client, agent services remain available to all of them. This includes the SecureFX product as well.


  1. How would I do this? "add the following section?" Where would I place this script for it to be sourced?

    quoted: "If you're using Cygwin/OpenSSH, you can store your private/public key inside your /home//.ssh and add the following section"

  2. The following section is the SSH_ENV block listed. It was taken from