Linux Tutorials, Guides & Latest Tech Stuffs

How to enable SSH Agent Forwarding in Ubuntu 16.04

Few days ago we were trying to setup SSH Agent Forwarding in Ubuntu for connecting private AWS EC2 instances hosted under the NAT instance or Bastion Instance. It is never recommended to store private access keys on BASTION or NAT instance. SSH Agent forwarding allow administrators to securely connect to private Linux instances in private Amazon VPC subnets using access keys stored in local computer.

SSH Agent forwarding in Ubuntu

Allow Agent Forwarding to your server
Use any text editor like vim, nano, sublime to open ~/ssh/.config. If this file does not exist then create file. Most of times .config file need to be created. You can create by using touch command

 touch ~/ssh/.config/

in terminal. Now add the following text to this newly created file replacing with NAT or Bastion instance IP.

  ForwardAgent yes

Add all required private access keys in you local computer
You need to add private access keys locally by using ssh-add command with -k option and  pem file like this
ssh-add -k ~/home/pem/myprivatekey.pem. If passphrase is added to pem file, a prompt will come up asking passphrase after hitting enter button. Enter correct passphrase for successfully adding private key. This steps needs to be done for all the required keys like key of bastion, key of app server, key of web server etc.

ssh-add -K myPrivateKey.pem
Enter passphrase for myPrivateKey.pem:
Passphrase stored in keychain: myPrivateKey.pem
Identity added: myPrivateKey.pem (myPrivateKey.pem)

Verification of added private keys
Added keys can be verified using ssh-add command with -L option, ssh-add -L command will display the keys it has stored as shown below

ssh-add –L
cx0RylX9IjcvJOyw== myPrivateKey.pem

If no keys are added to your SSH then following message will appear

ssh-add -L The agent has no identities.

SSH Agent forwarding in Mac

For configuring SSH-Agent-Forwarding, you would have to almost repeat similar steps as described above for Ubuntu.  you have to add private keys ( .pem ) file using ssh-add command.

Logging in to private ec2 instances through Bastion or Nat

After adding private keys locally, you are ready to log in your private instances hosted under Bastion or Nat instances in AWS. Use SSH with -A option, this option will allow agent forwarding and will respond with locally save .pem file when Bastion server ask for authentication.

ssh -A  [email protected] or public-dns 

for example:  ssh -A [email protected] of- bastion-instance-or-nat-instance

After connecting successfully to bastion you can connect to private instances like app server or database server using ssh command without any key

ssh [email protected]

Pranav K

Pranav K is a software engineer and all-round computer geek. His interests include AWS, Ubuntu and Wordpress


  1. Hi Pranav,

    After completing the FowardAgent step. The ssh-add step gave the below error.
    “Could not open a connection to your authentication agent.”

    Can you please help.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.