Agent Forwarding Question for the list

From: Jason Powers <jpowers@xxxxxxxxxxxxxx>
Date: Wed, 04 Oct 2006 18:18:02 -0400

I have looked through the archives and googled this pretty thoroughly, I'm having a tough time finding someone else who has asked the same question previously. There's a lot of information about openssh, but surprisingly little detail about port forwarding. Either it works for everyone all the time, or my configuration is a little bit particular compared to others.

We would like to change from ssh2 to openssh for all of our linux servers. I am testing new equipment with Fedora Core 5 with openssh configured out of the box. I have no need to forward X11 windows, I just want to be able to jump from machine to machine with a terminal, ssh and scp, and use different accounts without having to type a password. A lot of our production process revolves around this, so it pretty much has to work for me to convert us.

I made users and keys with openssh instead of using the old ones, put them in the accounts I wanted to jump to on multiple servers. I set the perms on the authorized_keys files to 600. I set the ssh_config file in /etc/ to say ForwardAgent yes.

Now let's say that I have a linux desktop and two linux servers, assuming I've configured things correctly, then from the desktop box I should be able to:

me@desktop> ssh-add
(type pass for key)
me@desktop> ssh someuser@server1

now from that terminal
someuser@server1> ssh otheruser@server2

It asks me for a password when I try to jump to the second server. I can put the password in and it works, but I think at this point it should be forwarding the key.

I have tail -f running on the secure log on each machine in question so I can see if there's anything happening.

It does not enter into the log on the target machine that I am attempting to open a connection while it waits for a password, so I was thinking that pam may be intercepting the request and demanding one.

Has anyone known pam to do such a thing?
Am I seeing a common non-error?
Is this a situation where ssh-agent on the servers may be interfering with the one from the desktop?
Do I have to turn on X11forwarding to get agent forwarding on these servers, which don't even have x installed?
Does this have something to do with xauth on the servers, or is that only for x11 forwarding?

Thanks

Jason Powers

Follow-Ups:
- Re: Agent Forwarding Question for the list
  - From: Derek Martin
- Re: Agent Forwarding Question for the list
  - From: Derek Martin
- Re: Agent Forwarding Question for the list
  - From: Layne Fink
- Re: Agent Forwarding Question for the list
  - From: Justin Alcorn

Prev by Date: Re: How necessary is SSH_AUTH_SOCK?
Next by Date: Re: Agent Forwarding Question for the list
Previous by thread: Re: How necessary is SSH_AUTH_SOCK?
Next by thread: Re: Agent Forwarding Question for the list
Index(es):
- Date
- Thread

Relevant Pages

Re: Agent Forwarding Question for the list
... Most of the documentation I found suggests it's possible to do this, and I can already do it with ssh-3.2.9-1 on our old setup. ... I was determined to ask the experts in case it was a common mistake or something that simply is not possible under openssh. ... Say in the ideal setup for development servers I'd have a cronuser, scriptuser, monitoruser, cvsuser, and root all configured with my public key and that I could jump in and out of each not only from my own Linux Desktop, but through each user to each user on other servers in the development chain. ... After reading all the documentation and FAQs I could find, I had assumed ssh-agent on the desktop and agent forwarding on the servers would be sufficient, but something is blocking the forwarding, or I'm way off and this isn't how it's meant to work. ...
(SSH)
Re: Agent Forwarding Question for the list
... I provided a suggestion (invoking ssh with -vvv) as to how to further troubleshoot the problem. ... I was determined to ask the experts in case it was a common mistake or something that simply is not possible under openssh. ... Say in the ideal setup for development servers I'd have a cronuser, scriptuser, monitoruser, cvsuser, and root all configured with my public key and that I could jump in and out of each not only from my own Linux Desktop, but through each user to each user on other servers in the development chain. ... After reading all the documentation and FAQs I could find, I had assumed ssh-agent on the desktop and agent forwarding on the servers would be sufficient, but something is blocking the forwarding, or I'm way off and this isn't how it's meant to work. ...
(SSH)
Re: SMPT broken for about 19 years
... Forwarding was broken by RFC 1123 5.3.6about 19 years ago. ... If folks think it belongs here, cool, but it's not really an SCO specific issue. ... which is that the "bounce" address for a message ... well integrated yet with major SMTP servers. ...
(comp.unix.sco.misc)
Re: SMPT broken for about 19 years
... I was involved with SPF integration ... There really is no Forwarding problem that needs to ... Forwarding the old way is a form of an open relay. ... I'm actually startled if you're using SCO servers as your external mail ...
(comp.unix.sco.misc)
Re: Using Forwarders
... with DNS servers at different levels. ... it doesn't work well to use Forwarding ... >> actual recursion of the Internet namespace from the root down. ...
(microsoft.public.windows.server.dns)