Re: Agent Forwarding Question for the list



I made it the default setting by altering /etc/ssh-config because all of my servers and users are configured for this method of authentication (I will eventually shut passwords off on many of the servers.)

The behavior remains the same whether I use -A at any or all points in the process or not.

Thanks for your help

Jason Powers

Francois.Bolduc@xxxxxxxxxxxxxx wrote:
You need to specify the -A switch in your ssh calls to forward the agent through unless you alias the ssh command or set it as a default ssh client setting.

François Bolduc
Fujitsu Consulting - Ottawa
613-694-2649



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx@DMR-CANADA on behalf of Jason Powers <jpowers@xxxxxxxxxxxxxx>
Sent: Wed 10/4/2006 6:18 PM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Agent Forwarding Question for the list

I have looked through the archives and googled this pretty thoroughly,
I'm having a tough time finding someone else who has asked the same
question previously. There's a lot of information about openssh, but
surprisingly little detail about port forwarding. Either it works for
everyone all the time, or my configuration is a little bit particular
compared to others.

We would like to change from ssh2 to openssh for all of our linux
servers. I am testing new equipment with Fedora Core 5 with openssh
configured out of the box. I have no need to forward X11 windows, I just
want to be able to jump from machine to machine with a terminal, ssh and
scp, and use different accounts without having to type a password. A lot
of our production process revolves around this, so it pretty much has to
work for me to convert us.

I made users and keys with openssh instead of using the old ones, put
them in the accounts I wanted to jump to on multiple servers. I set the
perms on the authorized_keys files to 600. I set the ssh_config file in
/etc/ to say ForwardAgent yes.

Now let's say that I have a linux desktop and two linux servers,
assuming I've configured things correctly, then from the desktop box I
should be able to:

me@desktop> ssh-add
(type pass for key)
me@desktop> ssh someuser@server1

now from that terminal
someuser@server1> ssh otheruser@server2

It asks me for a password when I try to jump to the second server. I can
put the password in and it works, but I think at this point it should be
forwarding the key.

I have tail -f running on the secure log on each machine in question so
I can see if there's anything happening.

It does not enter into the log on the target machine that I am
attempting to open a connection while it waits for a password, so I was
thinking that pam may be intercepting the request and demanding one.

Has anyone known pam to do such a thing?
Am I seeing a common non-error?
Is this a situation where ssh-agent on the servers may be interfering
with the one from the desktop?
Do I have to turn on X11forwarding to get agent forwarding on these
servers, which don't even have x installed?
Does this have something to do with xauth on the servers, or is that
only for x11 forwarding?

Thanks

Jason Powers





Relevant Pages

  • Re: Agent Forwarding Question for the list
    ... I provided a suggestion (invoking ssh with -vvv) as to how to further troubleshoot the problem. ... I was determined to ask the experts in case it was a common mistake or something that simply is not possible under openssh. ... Say in the ideal setup for development servers I'd have a cronuser, scriptuser, monitoruser, cvsuser, and root all configured with my public key and that I could jump in and out of each not only from my own Linux Desktop, but through each user to each user on other servers in the development chain. ... After reading all the documentation and FAQs I could find, I had assumed ssh-agent on the desktop and agent forwarding on the servers would be sufficient, but something is blocking the forwarding, or I'm way off and this isn't how it's meant to work. ...
    (SSH)
  • Re: Agent Forwarding Question for the list
    ... I can see from the debugs that even though the machine lets me jump from the desktop to the first server, when I jump to the second server it checks the agent for a key and finds none, then fails over to checking for the user's nonexistant local private key and then to keyboard-interactive,password. ... I can now do exactly what I needed: happily ssh and scp data back and forth across different servers and users. ... If the users on the second hop do not have a valid public-key, then the forwarding will not work. ... Say in the ideal setup for development servers I'd have a cronuser, scriptuser, monitoruser, cvsuser, and root all configured with my public key and that I could jump in and out of each not only from my own Linux Desktop, but through each user to each user on other servers in the development chain. ...
    (SSH)
  • new backup server
    ... I've had the configuration and pricing set ... comments on my choice of tape changer, or comments on issues related to ... I have a number of hand-me-down Sun Enterprise 250 servers. ... Amanda seems to be flexible enough that I can just ...
    (SunManagers)
  • Re: Exchange 2000 - Domain Controller Failover - could not send or
    ... > ESM DSAccess tab as Global Catalog Servers. ... clients could not send or receive email. ... >>> Enterprise Configuration to the second DC and still no luck. ...
    (microsoft.public.exchange2000.active.directory.integration)
  • Re: Finding a replacement for my ISPs smtp server
    ... I know Exim can be configured to do a lot. ... I do run Exim on several servers (actually I have a friend who has ... email configuration. ... I see two main reasons for running an MTA, as I have for fifteen years ...
    (Debian-User)