ssh-agent is a background process that holds your decrypted private keys in memory so you don't have to type the passphrase every time you SSH somewhere. Private SSH keys should be encrypted on disk with a passphrase. Without an agent, every ssh, git pull, scp etc. would prompt you to type that passphrase to decrypt the key.
How it works:
With agent forwarding (ssh -A bastion, or ForwardAgent yes in config), SSH forwards $SSH_AUTH_SOCK from your laptop into the bastion shell. When you then run ssh internal-server from the bastion.
SSH keeys come in pairs:
Public key should be copied to servers into ~/.ssh/authorized_keys (it let's the server authenticate the user).
During the client authentication, the client will use its private key, and it will be verified by the public key stored in ~/.ssh/authorized_keys.
Private key is password protected when encrypted. A passphrase is only used to unlock the private key locally and is not transmitted in any form to the remote host.
This will generate private/public keys in the default directory:
$ ssh-keygen -b 4096 # default size is 2048
Files are here:
clienthost:~ user$ ls -l .ssh/ | grep id -rw------- 1 user user 1831 Aug 10 20:50 id_rsa -rw-r--r-- 1 user user 407 Aug 10 20:50 id_rsa.pub
After public key is copied to remote serve:
$ chmod 700 .ssh/ $ chmod 600 ~/.ssh/authorized_keys # paste your public key into this file
There is also a simpler way to copy a public key:
$ ssh-copy-id pi@192.168.2.73
/etc/ssh/sshd_config:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
$ ssh-agent $ ssh-add