Re: Agent Forwarding Question for the list

On Wed, Oct 04, 2006 at 06:18:02PM -0400, Jason Powers wrote:
I have looked through the archives and googled this pretty thoroughly,
I'm having a tough time finding someone else who has asked the same
question previously. There's a lot of information about openssh, but
surprisingly little detail about port forwarding.

Er, your e-mail doesn't appear to be about port forwarding at all...
It seems to be about connecting with ssh-agent. Presumably this was
just a think-o and you didn't really mean to ask about port
forwarding?

Now let's say that I have a linux desktop and two linux servers,
assuming I've configured things correctly, then from the desktop box I
should be able to:

Trouble is, "assuming I've configured things correctly" is rather a
big assumption. ;-)

me@desktop> ssh-add
(type pass for key)
me@desktop> ssh someuser@server1

now from that terminal
someuser@server1> ssh otheruser@server2

It asks me for a password when I try to jump to the second server. I can
put the password in and it works, but I think at this point it should be
forwarding the key.

By default (at least as shipped by some vendors), agent forwarding is
turned off. You need to explicitly enable it, either by modifying
/etc/ssh/ssh_config, ~/.ssh/config, or by specifying -A on the ssh
command line.

If you want to make this the default (not recommended), look in
one of the aforementioned config files for the following:

# Host *
# ForwardAgent no

Uncomment and change that to yes. But this is not recommended because
it means that ALL ssh agents will be forwarded to ALL servers to which
people are connecting to from that machine (where you made the config
change). This is generally a bad idea, because IIUC it means that an
unencrypted copy of your ssh keys will be available on machines
outside your organization's control. While the risk is probably low
if you only ever connect to "trusted" sites, in theory a malicious
site/admin could hack sshd to record such keys or otherwise snoop
them. This is why it's turned off by default.

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Attachment: pgpFCZQDsrIER.pgp
Description: PGP signature

Relevant Pages

  • Port Forwarding over Unreliable Connections
    ... I make extensive use of ssh port forwarding to access machines behind ... patiently wait a long time before finally snipping the connection. ...
    (comp.security.ssh)
  • Re: scp via a intermediate computer
    ... is, suppose my computer is C, I can ssh to B from C, but I can not ssh ... I'm wondering how to use port forwarding on B such that I can scp from ... Otherwise, I'll have to scp files from A to B and then B to C, ...
    (comp.security.ssh)
  • Re: Agent Forwarding Question for the list
    ... So much of the information I find is about Port Forwarding, which I know is not the same as Agent Forwarding, which is what I am asking about. ... ssh-agent is on the desktop, I put my key in with ssh-add, ssh someuser@server1 lets me in. ...
    (SSH)
  • Re: scp via a intermediate computer
    ... is, suppose my computer is C, I can ssh to B from C, but I can not ssh ... I'm wondering how to use port forwarding on B such that I can scp from ... Otherwise, I'll have to scp files from A to B and then B to C, ...
    (comp.security.ssh)
  • Re: Partial SNAFUs - X11Forwarding etc.
    ... to the base server machine via SSH, or it it also supposed to protect ... back "up the line" to the client machine? ... the ssh server host is compromised or otherwise untrustworthy, ... refrain from running the program via ssh X11 forwarding - there's no ...
    (comp.security.ssh)