Re: Agent Forwarding Question for the list



Hi Jason,

I'm no expert.. but my first guess at this is you need to start the
ssh-add agent on server1 as well.

What i saw below was you SSH into Server1, then try from server1 to ssh
into server2.

You started the ssh-add agent on desktop; server1 is not going to read the
agent on desktop through an ssh .. you opened a completely new shell on a
remote machine that isn't linked back to any apps on the current machine.

You should be able to ssh from desktop to both server1 and server2.. but
not from server1 to server2 without starting the agent on server1.

There is also a way to make ssh-add global.. i believe that normally
ssh-add only lasts for the current session, soon as you logout the add
agent stops... something to do with editing your $HOME/.bash_profile or
$HOME/.bashrc for BASH for example. I'll google a bit and give a for sure
answer if someone else hasn't done so by then.

If i'm wrong i'm sure someone will correct me.

Hope it helps;
Layne Fink

--


On Wed, October 4, 2006 18:18, Jason Powers wrote:
I have looked through the archives and googled this pretty thoroughly,
I'm having a tough time finding someone else who has asked the same
question previously. There's a lot of information about openssh, but
surprisingly little detail about port forwarding. Either it works for
everyone all the time, or my configuration is a little bit particular
compared to others.

We would like to change from ssh2 to openssh for all of our linux
servers. I am testing new equipment with Fedora Core 5 with openssh
configured out of the box. I have no need to forward X11 windows, I just
want to be able to jump from machine to machine with a terminal, ssh and
scp, and use different accounts without having to type a password. A lot
of our production process revolves around this, so it pretty much has to
work for me to convert us.

I made users and keys with openssh instead of using the old ones, put
them in the accounts I wanted to jump to on multiple servers. I set the
perms on the authorized_keys files to 600. I set the ssh_config file in
/etc/ to say ForwardAgent yes.

Now let's say that I have a linux desktop and two linux servers,
assuming I've configured things correctly, then from the desktop box I
should be able to:

me@desktop> ssh-add
(type pass for key)
me@desktop> ssh someuser@server1

now from that terminal
someuser@server1> ssh otheruser@server2

It asks me for a password when I try to jump to the second server. I can
put the password in and it works, but I think at this point it should be
forwarding the key.

I have tail -f running on the secure log on each machine in question so
I can see if there's anything happening.

It does not enter into the log on the target machine that I am
attempting to open a connection while it waits for a password, so I was
thinking that pam may be intercepting the request and demanding one.

Has anyone known pam to do such a thing?
Am I seeing a common non-error?
Is this a situation where ssh-agent on the servers may be interfering
with the one from the desktop?
Do I have to turn on X11forwarding to get agent forwarding on these
servers, which don't even have x installed?
Does this have something to do with xauth on the servers, or is that
only for x11 forwarding?

Thanks

Jason Powers




Relevant Pages

  • =?iso-8859-2?Q?Can_ssh_add_keys_to_ssh-agent=3F?=
    ... When I add the key to agent (ssh-add ...), ... when I use ssh and the key IS NOT ... The agent has no identities. ... $ svn log ...
    (SSH)
  • Re: authorized_keys2 and Solaris 10
    ... entry/argument in the public key line ... able to do passwordless ssh to other boxes. ... the server1 and server2 machines. ... would go to server1, create the public and private keys there, scp the ...
    (comp.sys.sun.admin)
  • Re: Disable OpenSSH Protocol version 1
    ... I understand that we can disable SSH Protocol ... the "Protocol 2" line in sshd_config of server1. ... ssh session using version 1 from sending out server1. ...
    (SSH)
  • Re: authorized_keys2 and Solaris 10
    ... able to do passwordless ssh to other boxes. ... I'd also recommend checking this site on how to setup ssh w/o password: ... I thought that to ssh to sever2, I would go to server1, create the public and private keys there, scp the public key to server2 and then try to ssh again. ...
    (comp.sys.sun.admin)
  • RE: passwordless SSH Rsync [Was : Disk Layout/PartitioningPractices]
    ... > Create a pair of ssh keys, ... Having some issues running ssh to go from server1 to server2 and back to ... I'm trying to use ssh-agent instead ... I thought the ssh-agent will forward the requests along ...
    (Fedora)