Tsh ssh agent forwarding does not forward existing host identities

When using ssh agent forwarding via tsh (tsh ssh -A node), existing credentials in the local ssh agent does not seem to be forwarded to the node.

$ ssh-add -L
ssh-rsa-cert-v01@openssh.com [snip a] teleport:user
ssh-rsa [snip b] teleport:user
ssh-rsa [snip c] /home/user/.ssh/id_rsa

$ tsa ssh -A node ssh-add -L
ssh-rsa-cert-v01@openssh.com [snip a] teleport:user
ssh-rsa [snip b] teleport:user

$ tsh version
Teleport v4.2.2 git:v4.2.2-0-gb06a05d2 go1.13.2

$ tsh ssh node teleport version 
Teleport v4.2.2 git:v4.2.2-0-gb06a05d2 go1.13.2

Is this an expected behavior, or is there an issue with my configuration?

That is the expected behaviour. There is an issue tracking this here: https://github.com/gravitational/teleport/issues/1571

If this is a feature you’d like to see changed, please add a comment to the Github issue. Thanks!

Thanks for the response; I’ve added a comment to the Github issue.

For completeness, it seems like the current workaround would be to use ssh instead, like so:

ssh -A -J teleport-proxy:3023 -p 3022 node
1 Like

Yes, that’s absolutely the recommended way to get around it for now.

1 Like