I'm writing my ssh config file and want to send agents with selected keys. No keys are to leave my local machine and the sent agents may only have the necessary keys. All keys require passwords. I don't want to type password multiple times in sequence, e.g. when accessing server, but don't mind entering it again whenever I access a machine. The following shows how I want to connect to the different servers:
local [--> git (git key)]
local --> frontend (compute key)
local --> frontend (compute key) --> server (compute key)
local --> frontend (compute key) [--> git] (git key)
local --> otherserver (passwort & app)
local --> otherserver (passwort & app) [--> git] (git key)
local --> somwherelse (else key)
My local ssh config:
Host server
HostName server.compute.net
User user1
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_compute
IdentityFile ~/.ssh/id_ed25519_git
ProxyJump frontend
Host frontend
HostName frontend.compute.net
User user1
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_compute
IdentityFile ~/.ssh/id_ed25519_git
Host otherserver
Hostname otherserver.com
User user2
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_git
Host somwhereelse
Hostname somewhereelse.com
User user3
AddKeysToAgent yes
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_else
Host git
Hostname git.url.com
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519_git
But when I try git pull on frontend, I get:
git@git.url.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Locally, git access works. I made sure an agent was running before logging in to frontend. What do I do wrong?
In order for ssh on one of the remote hosts to use keys stored in the ssh-agent running on local, you must enable agent forwarding, either by using the -A option on the command line or by adding ForwardAgent yes to the configuration for the remote host.