1. Home
  2. SSH APIs
  3. Maverick Legacy Server
  4. Server Authentication
  5. Supporting Agent Forwarding

Supporting Agent Forwarding

Lee Painter 6 April, 2020

As part of our Maverick Key Agent implementation, we have added support to the Maverick Legacy Server to authenticate outgoing SSH connections using the agent forwarding feature. This allows the server to open a channel to a client and use the identities on the client to authenticate the outgoing SSH connection. This article deals with setting up the forwarding implementation but does not touch on authenticating clients as this is dealt with in the following articles.

Authenticating with ssh-agent
Authenticating with the Maverick Key Agent
Authenticating remote clients through Agent Forwarding

In order to support agent forwarding, the client must first request this. This lets you know that a remote agent is running and available for authentication requests. To support this you need to modify your SessionChannel implementation and override the requestAgentForwarding method.

You should not need to modify the following example if you download our AgentForwardingChannel implementation which is attached to this article.

 @Override
 protected boolean requestAgentForwarding(String requestType) {
     try {
         getConnection().openChannel(new AgentForwardingChannel(requestType));
         return true;
     } catch (IOException e) {
        return false;
     }
 }

As you can see this simply opens up a new channel on the SSH connection. The requestType parameter is the name of the channel that is being requested, this is either "auth-agent" for an RFC agent or "auth-agent@openssh.com" for the OpenSSH variant. 

The new AgentForwardingChannel implementation creates a SshAgentClient over the channel, so once you have this it can be used from your server to authenticate against other servers as per the articles mentioned above. You should be able to perform any supported operation in the agent.

In the AgentForwardingChannel implementation, we create the SshAgentClient it and place a property called "ssh-agent" on the Connection instance of the connection. This makes it available to the rest of the connection, as per the specification the agent is tied to the connection and not the channel it was requested over.