Using SSH agent forwarding: ssh_config order

The guide to Using SSH agent forwarding  currently states:

Your system must allow SSH agent forwarding

Sometimes, system configurations disallow SSH agent forwarding. You can check if a system configuration file is being used by entering the following command in the terminal:

ssh -v Connect to with verbose debug outputOpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011debug1: Reading configuration data /Users/you/.ssh/configdebug1: Applying options for example.comdebug1: Reading configuration data /etc/ssh_configdebug1: Applying options for *exit# Returns to your local command prompt

In the example above, the file ~/.ssh/config is loaded first, then /etc/ssh_config is read. We can inspect that file to see if it’s overriding our options by running the following commands:

cat /etc/ssh_config# Print out the /etc/ssh_config fileHost * SendEnv LANG LC_* ForwardAgent no

In this example, our /etc/ssh_config file specifically says ForwardAgent no, which is a way to block agent forwarding. Deleting this line from the file should get agent forwarding working once more.

This advice is incomplete. As the documentation for ssh_config(5) shows,

For each parameter, the first obtained value will be used.

I think the way this guide currently reads makes it sound like /etc/ssh_config overrides earlier settings. Actually, the opposite is true. Although many other utilities allow the last config option to override the first, ssh_config does it the other way around. This is also why command-line flags (which almost always take precedence by convention) are actually loaded first in this case. As the guide itself points out in a warning, removing ForwardAgent no from the user’s default settings may not be secure.

Hi @jesse-amano,

Thank you for being here, we appreciate you taking the time to report this. I’ve created an issue with our documentation team to investigate. Thanks again meanwhile, we’re looking forward to seeing you around!