Using SCP with agent-forwarding

When the client uses SSH to access a target server via PSM and authenticates with the public keys, the PSM Authentication Policy has Public key > Agent configured on the server-side. If the client supports agent-forwarding, this works well. However, scp does not: it always adds the -a option to the command-line to disable agent-forwarding. Explicitly allowing agent-forwarding with the -A or the-oForwardAgent yes command-line option, or writing ForwardAgent yes into the configuration has no effect, because the implicit -a at the end of the command-line takes precedence.

Solution 1 — Use a wrapper script

The scp application can be started with the -S option to use an external application to create the encrypted connection. On Linux and UNIX platforms, this external application can be, for example, the following script that removes the unnecessary option from the scp command line.

exec '/usr/bin/ssh', '-A', map {$_ eq '-oForwardAgent=no' ? ( ) : $_} @ARGV

If you want your clients to use this script transparently, you can create an alias for it with the following command:

alias scp='scp -S <path-to-the-script-on-the-client>'

Solution 2 — Use ssh master-channels

This solution relies on sending scp through an SSH master-control channel. In this case, scp does not need agent-forwarding, because it is already performed during the ControlMaster setup. The advantage of this solution is that the scp connection is setup quickly, because no authentication is needed, since the connection is already open. The disadvantage is that first a ControlMaster connection must be opened to the target host using the following command:

ssh -M -S /tmp/<address-of-the-target-server> <address-of-the-target-server>

When staring scp, reference the control path created with the previous command:

scp -oControlPath=/tmp/<address-of-the-target-server> [[[email protected]]host1:]file1 ... [[[email protected]]host2:]file2

Solution 3 — Patch the scp source

You can simply patch the scp source to overcome the problem, but then you need to recompile and re-install scp on every platform you use in your environment. The following is a sample patch for openssh-5.6p1:

--- scp-org.c    2010-07-02 05:37:33.000000000 +0200
+++ scp-new.c    2010-09-08 17:56:33.000000000 +0200
@@ -339,7 +339,6 @@
     args.list = NULL;
     addargs(&args, "%s", ssh_program);
     addargs(&args, "-x");
-    addargs(&args, "-oForwardAgent no");
     addargs(&args, "-oPermitLocalCommand no");
     addargs(&args, "-oClearAllForwardings yes");

Solution 4 — Use fix or mapped keys on server-side

This is not agent-forwarding anymore, but scp still can use keys. Instead of passing the user-keys to the target server, PSM can authenticate on the server using a fix key, or a separate key for every user. Setting the server-side keys on PSM (or fetching them from LDAP), has the following advantages:

  • The user cannot bypass PSM and directly connect to the target server

  • Key-handling in the server environment becomes much simpler, because you do not have to import the user-keys to every host (if this is done locally, without a central identity management system)

For details on configuring server-side keys on PSM, see Section 11.3.3, Relayed authentication methods.

Solution 5 — WinSCP and agent-forwarding

WinSCP is a common tool for Windows to transfer files using SFTP/SCP. To use agent-forwarding in WinSCP, enable it in the SSH > Authentication options and load your keys.