Skip to content

Instantly share code, notes, and snippets.

@martijnvermaat

martijnvermaat/ssh-agent-forwarding-screen.md

Created December 21, 2013 15:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save martijnvermaat/8070533 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save martijnvermaat/8070533 to your computer and use it in GitHub Desktop.
Download ZIP
SSH agent forwarding and screen
Raw
ssh-agent-forwarding-screen.md

SSH agent forwarding and screen

When connecting to a remote server via SSH it is often convenient to use SSH agent forwarding so that you don't need a separate keypair on that server for connecting to further servers.

This is enabled by adding the

ForwardAgent yes

option to any of your Host entries in ~/.ssh/config (or alternatively with the -A option). Don't set this option in a wildcard Host * section since any user on the remote server that can bypass file permissions can now als use keys loaded in your SSH agent. So only use this with hosts you trust.

The problem with screen

Unfortunately, this doesn't work as-is with GNU screen. On every new SSH connection, agent forwarding is setup via a socket specified in the SSH_AUTH_SOCK environment variable (usually somewhere in /tmp). So the socket location will be different on each connection. However, your typical screen session will live over several SSH connections and the shells in your screen session won't know where to find the current socket (their environments are not updated).

Fixing agent forwarding with screen

A simple fix is to symlink to the current socket from a fixed location on each new connection and have SSH look for the socket in that fixed location (specified by the SSH_AUTH_SOCK environment variable). We'll use ~/.ssh/ssh_auth_sock for the symlink location.

To have SSH within a screen session use the symlink, add the following line to ~/.screenrc:

setenv SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock

To update the symlink we'll use the ~/.ssh/rc file which is executed by SSH on each connection. This can be any executable file, so something like the following script will do:

if test "$SSH_AUTH_SOCK" ; then
    ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi

Unfortunately, this will break X11 forwarding because SSH runs xauth on each connection, except when there is a ~/.ssh/rc file. We can fix this by running xauth from our ~/.ssh/rc as suggested in the sshd(8) manual page.

This is our complete ~/.ssh/rc file:

#!/bin/bash

# Fix SSH auth socket location so agent forwarding works with screen.
if test "$SSH_AUTH_SOCK" ; then
    ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi

# Taken from the sshd(8) manpage.
if read proto cookie && [ -n "$DISPLAY" ]; then
        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                # X11UseLocalhost=yes
                echo add unix:`echo $DISPLAY |
                    cut -c11-` $proto $cookie
        else
                # X11UseLocalhost=no
                echo add $DISPLAY $proto $cookie
        fi | xauth -q -
fi

Credits go to this blog post: Managing SSH Sockets in GNU Screen

@s-rwe
Copy link

s-rwe commented Dec 11, 2025

@filviu @cinderblock - I'm having the same issue from time to time (connection A open, then connection B opened and closed again, which breaks the updated symlink for connection A), and mostly solved this by calling a cleanup script from ~/.bash_logout (i.e. when a login-shell exits).

That cleanup script checks if the shared symlink currently points to the own SSH_AUTH_SOCKET (only if that env-var doesn't itself already contain a symlink though), since then it is about to become unavailable, on logout. And if so, it checks if there is another agent socket available to change the shared symlink back to.

Covers pretty much all cases for me now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment