As a developer, managing access to secure cloud networks usually means navigating through a bastion host (or jump box) to reach your private EC2 instances. To do this securely without exposing your private keys on a public server, SSH Agent Forwarding is the industry standard.
However, many developers running macOS encounter a frustrating roadblock: they use the ssh -A -i key.pem command, only to find they are still blocked from connecting to their private backend servers.
In this comprehensive guide, we will unpack exactly why this happens and show you the step-by-step process to correctly configure SSH agent forwarding on Mac so your multi-hop connections work flawlessly every time.
Table of Contents
The Hidden Trap: Why ssh -A -i key.pem Fails
It is a common misconception that passing the identity flag (-i) alongside the agent forwarding flag (-A) tells your Mac to forward that specific key.
Here is what actually happens behind the scenes:
- The
-iflag instructs your local machine to use that specific.pemfile to authenticate only into the bastion host. - The
-Aflag tells SSH to forward your local SSH Agent.
If you haven’t explicitly loaded your .pem key into your local macOS SSH Agent beforehand, the agent remains completely empty. When you try to hop from the bastion host to your private instance, the bastion looks into the forwarded agent, finds no keys, and rejects your connection with a Permission denied (publickey) error.
Step-by-Step: How to Setup SSH Agent Forwarding on macOS
To fix this, you must explicitly load your private keys into your Mac’s local agent before establishing the SSH connection. Follow these steps.
Step 1: Set Secure Key Permissions
Before adding your key to any agent, macOS requires strict file permissions. If your key is too exposed, the system will reject it. Run this command in your local Terminal:
chmod 400 /path/to/your-key.pemStep 2: Start Your Local SSH Agent
Ensure that the SSH authentication agent is actively running in the background of your Mac:
eval "$(ssh-agent -s)"If it is running you will see the output like below:
Agent pid 35801Step 3: Add Your Private Key to the macOS Agent
Now, add your private key to the running agent. To prevent having to re-add this key every time you restart your Mac, use the flag that stores your passphrase securely in the macOS Keychain.
For modern macOS versions (macOS Monterey, Ventura, Sonoma, and newer):
ssh-add --apple-use-keychain /path/to/your-key.pem(Note: If you are running an older legacy macOS version, use the -K flag instead: ssh-add -K /path/to/your-key.pem).
Step 4: Connect to Your Bastion Host
Because your key is now securely loaded into your active local agent, you no longer need to use the -i flag. Simply initiate the connection using the forwarding flag:
ssh -A ubuntu@your-bastion-public-ipStep 5: Hop Safely to Your Private Instance
Once you are logged into your bastion host terminal, you can immediately SSH straight into your backend private instance using its internal IP address:
ssh ubuntu@your-private-instance-ipHow to Verify Your SSH Agent Forwarding is Active
If you are still experiencing connectivity issues, you can easily trace where the chain is breaking.
Log directly into your bastion host and run the following command:
ssh-add -l- What Success Looks Like: The terminal will output a long string of letters and numbers representing the fingerprint of your
.pemkey. This means your Mac successfully passed the key to the bastion. - What Failure Looks Like: If you see
The agent has no identitiesorCould not open a connection to your authentication agent, your local Mac agent was either empty or the bastion host is blocking agent forwarding.
Conclusion
SSH agent forwarding is an incredibly secure way to traverse complex infrastructure cloud environments without leaving a trail of sensitive private keys on exposed public jump boxes. By ensuring your keys are registered to your macOS agent before you connect, you eliminate authentication friction completely.