Dev Portfolio
Back to Writings

Cloud Notes: SSH Agent Forwarding via Jump Host

Simple step-by-step notes for using ssh-add with ProxyJump (-J) and agent forwarding (-A) to reach a private instance via a jump host.

Jan 2, 2025

SSH Agent Forwarding: Simple Steps (Case-first)

Case

You are at your laptop (home). A private EC2 instance sits in a VPC with no public IP. A jump host (bastion) does have a public IP. You need to SSH from your laptop → jump host → private instance without copying your private key to any server.

Quick goal

SSH from local to private instance in one command, using your local SSH agent for authentication.

Prerequisites

  1. An SSH key pair on your laptop (~/.ssh/id_ed25519 or similar).
  2. ssh-agent available (macOS/Linux) and ssh-add installed.
  3. Jump host reachable (public IP) and allowed in security groups.
  4. Private instance reachable from jump host (VPC routing/security groups).

Step-by-step (minimal)

  1. Start ssh-agent (if not already running):
# macOS / Linux (example)
eval "$(ssh-agent -s)"
  1. Add your private key to the agent:
ssh-add ~/.ssh/id_ed25519
# verify
ssh-add -l
  1. One-line connect (ProxyJump + agent forward):
ssh -i <pem.key> -A -J user@JUMP_PUBLIC_IP user@PRIVATE_IP
  • -J tells SSH to hop through the jump host.
  • -A forwards your local agent so the private instance can authenticate using your key.
  1. Alternative: use an ssh config entry (recommended)
Host bastion
  HostName JUMP_PUBLIC_IP
  User ec2-user
  ForwardAgent yes

Host private-1
  HostName 10.0.2.15
  User ec2-user
  ProxyJump bastion
  ForwardAgent yes

Then simply:

ssh private-1
  1. If it fails, quick checks
  • ssh-add -l shows your key(s).
  • Ensure jump host can reach the private IP (ping or nc/telnet on port 22 from jump).
  • Check security groups and route tables.
  • Confirm ForwardAgent yes or -A was used.

Short security checklist

  • Only forward agent (-A) to trusted jump hosts.
  • Do not copy private keys to servers.
  • Use passphrases and/or short-lived certs when possible.
  • Limit jump host access (IP allowlist, MFA, logging).

If something goes wrong (quick fix)

Sometimes the SSH agent has stale or wrong keys loaded.

  1. Remove all keys from the agent:
ssh-add -D
  1. Add the correct key again:
ssh-add ~/.ssh/your-key.pem
  1. Retry the connection:
ssh -A -J user@JUMP_PUBLIC_IP user