SSH keys

Determine the fingerprint of a key

ssh-keygen can provide this information. It defaults to sha256, but -E md5 is also available.

ssh-keygen -lf KEY

scp only key

no-port-forwarding,no-pty,command="scp -v -t /destination/path" ssh-rsa ...

Hardware Keys

Add the key to ssh-agent

$ ssh-add -K

Put libfido2 into debug mode

env FIDO_DEBUG=1 ssh -vvv ...

Forwarding

Agent Forwarding

ssh-agent must be running on the original client computer.

Agent forwarding is enabled by default, but to utilize it pass the -A flag to ssh or enable it in .ssh/config.

Host host_identifier
     FowardAgent yes

The key should be added to the ssh-agent on the original destination automagically. This can be checked by running ssh-add -l on the destination. The key should be listed in the output.

Restrictive Agent Forwarding

To use the restrictive ForwardAgent, there must be a key in known_hosts that matches the hostname of all destinations. For instance, if we intend to reach node2 via node1, both node2 and node1 require known_hosts entries. The hostnames in known_hosts should match the names provided in the restrictions (ssh-agent does a lookup to see if it “knows” the destination).

Error presented when the entry is not found in known_hosts:

[ddp@ix:.ssh] :; ssh-add -h "pine.example.com>monitor0.example.com" id_rsa
No host keys found for destination "pine.example.com"

First add a constraint for the original destination, then add further constraints for the next hops.

$ ssh-add -h "ix.example.com" -h "ix.example.com>vmconnect.example.com" .ssh/id_rsa