On 23 September 2010 17:08, Nicolas Ferragu <nicolas.ferragu@xxxxxxxxxx> wrote: > Â ÂPutty conf : > Â Â Â connection type : raw > Â Â Â local proxy command : plink.exe -t %user@%proxyhost -agent "ssh > -p %port -l role %host"\n I assume "ssh -p %port -l role %host" here is a command executed on the bastion to connect to the target. Currently it does not work as the target asks for the key known only for the bastion. You mentioned that "ssh-agent running well with the target.". If that means that bastion has ssh-agent running with a key for the target then in the above command you just need to tell the ssh where to look for ssh agent socket. You can do that with env command that sets SSH_AUTH_SOCK like in: plink.exe -t %user@%proxyhost -agent "env SSH_AUTH_SOCK=<path-to-socket> ssh -p %port -l role %host" The default socket location is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. For maximum convenience you may run the ssh-agent on bastion with -d option to specify the exact location of the socket like in: ssh-agent -b "$HOME/.ssh/agent-socket" and then set SSH_AUTH_SOCK in the above command to /home/user/.ssh/agent-socket On the other hand the setup like that implies that one can always connect to the target if he has the key to bastion. Moreover, anybody who can login to bastion under your user name can also recover the private key for the target via inspecting ssh-agent memory. So the setup above is less secure if you would simply have the key to the target on your local box properly password-protected and loaded into putty agent. Regards, Igor