[GH-ISSUE #252] Agent forwarding for egress connections #65

New issue

Open

opened 2026-05-07 00:18:19 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:18:19 +02:00

Owner

Originally created by @N-Mi on GitHub (Oct 12, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/252

Hello,

I have customers for which I need to connect on their servers from TheBastion. I sent them the egress key, and they added it to their servers. So far, so good.
The problem is they also have a SSH bastion (not running TheBastion), and all connections must go through it, and they expect the authentication to be done using agent forwarding.

To resume :
PC -> Our Bastion -> Customer Bastion -> Customer Server

The connection is OK to customer's Bastion, but then trying to connect to a server fails because there is no ssh-agent running on our Bastion, so the key challenge can never be answered.

Enabling ForwardAgent and/or AllowAgentForwarding in SSH configuration on our Bastion host is not useful, as it would be using the agent running on the PC and knowing only the ingress key, not the egress key.

Is there a way to do agent forwarding with TheBastion, or is it a feature request ?

Originally created by @N-Mi on GitHub (Oct 12, 2021). Original GitHub issue: https://github.com/ovh/the-bastion/issues/252 Hello, I have customers for which I need to connect on their servers from TheBastion. I sent them the egress key, and they added it to their servers. So far, so good. The problem is they also have a SSH bastion (not running TheBastion), and all connections must go through it, and they expect the authentication to be done using agent forwarding. To resume : PC -> Our Bastion -> Customer Bastion -> Customer Server The connection is OK to customer's Bastion, but then trying to connect to a server fails because there is no ssh-agent running on our Bastion, so the key challenge can never be answered. Enabling ForwardAgent and/or AllowAgentForwarding in SSH configuration on our Bastion host is not useful, as it would be using the agent running on the PC and knowing only the ingress key, not the egress key. Is there a way to do agent forwarding with TheBastion, or is it a feature request ?

BreizhHardware added the

feature

label

2026-05-07 00:18:19 +02:00

BreizhHardware commented

2026-05-07 00:18:19 +02:00

Author

Owner

@speed47 commented on GitHub (Oct 15, 2021):

Hello,

This is not currently supported, but can be added, as ssh-agent supports starting a subprocess (which would be ttyrec then the ssh client to establish the egress connection in our case), and not only running as a user-wide daemon.

@speed47 commented on GitHub (Oct 15, 2021): Hello, This is not currently supported, but can be added, as ssh-agent supports starting a subprocess (which would be ttyrec then the ssh client to establish the egress connection in our case), and not only running as a user-wide daemon.

BreizhHardware commented

2026-05-07 00:18:20 +02:00

Author

Owner

@bragonznx commented on GitHub (Oct 15, 2021):

@speed47 Do you want us to look after it with @madchrist ? Or do you take care of this feature ?

@bragonznx commented on GitHub (Oct 15, 2021): @speed47 Do you want us to look after it with @madchrist ? Or do you take care of this feature ?

BreizhHardware commented

2026-05-07 00:18:20 +02:00

Author

Owner

@speed47 commented on GitHub (Oct 15, 2021):

Hey @bragonznx, yes you can have a look into it if you have some available time!

The way I see it, this could be an option (in --long-help) that users could add when wanting to connect to a remote server where they know ssh-agent forwarding is required. In that case the ttyrec command would be prefixed with ssh-agent -t 60 (or something like that), and the ssh command should include -o AddKeysToAgent=yes so that the egress key(s) is/are properly added to the parent agent. I think we may also want to have a global option in bastion.conf to allow or deny it by policy (said option would be unavailable if the policy is disabled, which could be the default).

@speed47 commented on GitHub (Oct 15, 2021): Hey @bragonznx, yes you can have a look into it if you have some available time! The way I see it, this could be an option (in `--long-help`) that users could add when wanting to connect to a remote server where they know ssh-agent forwarding is required. In that case the `ttyrec` command would be prefixed with `ssh-agent -t 60` (or something like that), and the ssh command should include `-o AddKeysToAgent=yes` so that the egress key(s) is/are properly added to the parent agent. I think we may also want to have a global option in `bastion.conf` to allow or deny it by policy (said option would be unavailable if the policy is disabled, which could be the default).

BreizhHardware referenced this issue

2026-05-07 00:19:48 +02:00

[PR #65] [MERGED] enh: adminSudo: better autocompletion rules #206