Re: Agent Forwarding Question for the list

On Wed, Oct 04, 2006 at 06:18:02PM -0400, Jason Powers wrote:
I have looked through the archives and googled this pretty thoroughly,
I'm having a tough time finding someone else who has asked the same
question previously. There's a lot of information about openssh, but
surprisingly little detail about port forwarding.

Er, your e-mail doesn't appear to be about port forwarding at all...
It seems to be about connecting with ssh-agent. Presumably this was
just a think-o and you didn't really mean to ask about port

Now let's say that I have a linux desktop and two linux servers,
assuming I've configured things correctly, then from the desktop box I
should be able to:

Trouble is, "assuming I've configured things correctly" is rather a
big assumption. ;-)

me@desktop> ssh-add
(type pass for key)
me@desktop> ssh someuser@server1

now from that terminal
someuser@server1> ssh otheruser@server2

It asks me for a password when I try to jump to the second server. I can
put the password in and it works, but I think at this point it should be
forwarding the key.

By default (at least as shipped by some vendors), agent forwarding is
turned off. You need to explicitly enable it, either by modifying
/etc/ssh/ssh_config, ~/.ssh/config, or by specifying -A on the ssh
command line.

If you want to make this the default (not recommended), look in
one of the aforementioned config files for the following:

# Host *
# ForwardAgent no

Uncomment and change that to yes. But this is not recommended because
it means that ALL ssh agents will be forwarded to ALL servers to which
people are connecting to from that machine (where you made the config
change). This is generally a bad idea, because IIUC it means that an
unencrypted copy of your ssh keys will be available on machines
outside your organization's control. While the risk is probably low
if you only ever connect to "trusted" sites, in theory a malicious
site/admin could hack sshd to record such keys or otherwise snoop
them. This is why it's turned off by default.

Derek D. Martin
GPG Key ID: 0x81CFE75D

Attachment: pgpFCZQDsrIER.pgp
Description: PGP signature