How can I find out whether an SSH connection has been established with or without agent forwarding?
I'm trying to do the following:
ssh-add -D (delete all stored keys) ssh --vvv something ssh-add (adding key) ssh --vvv something and compare output, but I can see only subtle differences.
When ssh agent forward is enabled on the client (ForwardAgent yes on ~/.ssh/config) and is also enabled on the remote server AllowAgentForwarding yes, when logging to the remote server the environment variable SSH_AUTH_SOCK should exist. Then if you log into another server (you public key must reside on this third server) you should not be prompted for any password.
To clarify:
home$ ssh-add Enter passphrase ... Identity added ... $ ssh hostA hostA$ env | grep SSH_AUTH_SOCK SSH_AUTH_SOCK=/tmp/... $ ssh hostB hostB$ 
ssh-add is what did the trick for me. I'd been working for months not knowing about that. Then I switched desktops from Unity to LXDE and agent key forwarding stopped working. ssh-add every time you open a new console window. So I added that command line to the end of ~/.bash_profile, and now the authentication agent forwarding works every time transparently! ssh-agent set up correctly. See mah.everybody.org/docs/ssh "${SSH_AUTH_SOCK}" is a socket, you can test it with if [[ ! -S "${SSH_AUTH_SOCK}" ]]; then echo "warn: no forward agent detected ('${SSH_AUTH_SOCK}' is not a socket)"; fi Checking environment for SSH_AUTH_SOCK is good for direct ssh connections.
If you use proxies (proxy_command) you might have a connction that looks like:
local -> hostA -> hostB -> hostC -> hostD
If agent forwarding is active on all those hosts, then SSH_AUTH_SOCK will be set and "contains" your ssh key from local on all hosts.
Now suppose agent forwarding is disabled on hostB but enabled on hostC. SSH_AUTH_SOCK will be set on hostD but it will actually be "empty". Of course the agent is forwarded but only from hostC to hostD. The chain is broken.
Now to check if actually the key is available on hostD you can simply call ssh-add. It will exit with code 1 in any case, but if the key is unavailable it will show this on stderr:
Could not open a connection to your authentication agent.
So you can check for the SSH_AUTH_SOCK plus make sure ssh_add has no output.
ssh-find-agentscript for finding and using existing ssh-agents, very handy! The repo has some examples in the README. You might be able to detect if ssh-agent is enabled like that, along with inspecting the SSH config files, rather than looking at the SSH output.