Having to work with remote servers frequently you will need to gain access to them quickly and easily. But what to do when security constraints prevent access to the server directly from your workstation?

In many cases the Security department will not allow you to have private keys on your servers in the cloud, so that the user gilad on the jump server should not have any private keys:

[gilad@jump ~]$ ls .ssh
authorized_keys  known_hosts

The solution is ssh forwarding through the Jump server in your data center / cloud network

Adding keys to the ssh-agent

On your PC, do the following:

In order for the ssh-agent to handle the forwarding of your keys you will need to add them

Add the following to your ~/.bashrc (or the corresponding init script of your user)

ssh-add ~/.ssh/server.pem
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/jumphost-key.pem
ssh-add ~/.ssh/test-key.pem

Configure your ssh client to Forward keys when accessing the jump host

Still on your PC:

Add the following to the ~/.ssh/config

Host jump
    User gilad # jump_host_user
    ForwardAgent yes

Make sure your public key is placed correctly on the Jump server

To generate a public key from your private key:

ssh-keygen -y -f ~/.ssh/jumphost-key.pem

You shoud get a public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQwxmLonT5JrZUklPCm9N2PycyhJiGioNwfMLgsA2OYqI9ndoMj7eNK4yH3r32M4cBFgG8Y3Nw9hLhAXIA2GfuKSiSfdGepAn6Un/zm1j4LwKZGA/1wdekhIL8pmkNdLZU/N4iAdAvZJ3WPFqaLmFlz7t9AuoPodCF7dPFStBPBcxys17GruxhqnCeoXxjs59P1MsOmucu2dU85yfbKDEinVxuHI5mfH+AEm0zB2GZdBnUUs1gFmm7VT743ELINjVGF36zrtQZUj90ZxirQtfhdJrGjW83hrvlY+6ACuGZcuAGiOm0BhT6LTaUHUU4l0AziWTWgbPzEITQyGQ16hmR

On the Jump server:

Place the public key on the servers in the user’s home directory .ssh folder in the authorized_keys file

Place the public keys on the rest of the servers as defined in the this table:

user server public key of
gilad jumphost-key
ubuntu test-key
ubuntu server

ssh to the Jump server

ssh jump

You should get a prompt on the server:

[gilad@jump ~]$

ssh onwards to desired server


ssh ubuntu@

Will allow you access based on the test-key that does not exist on the jump server