Re: Trouble with agent forwarding



I guess your problem is that the root ssh public key is not in somename's authorized_keys on machine C.
When you do 'sudo ssh someone@C' you're loading root's profile on the originating box, as if root was launching the ssh command, therefor ssh loads root's public key and tries to authenticate with it on machine C against your remote user's authorized keys.

-Ed

----- Original Message ----
From: Iwan Vosloo <iwan@xxxxxxxxx>
To: secureshell@xxxxxxxxxxxxxxxxx
Sent: Thursday, June 19, 2008 5:21:46 AM
Subject: Trouble with agent forwarding

Hi.

After an upgrade, we are having trouble with openssh and agent
forwarding, and are stumped at trying to find the source of our
troubles. Any pointers to help us debug would be appreciated:


Previously, we had
(a) developer workstations, with our ssh keys in the normal place:
~/.ssh/id_rsa{,.pub}
(b) Prod machine B, with ~/.ssh/authorized_keys{,2}
(containing the public keys of our developers).
(c) Prod machine C, set up like B

On developer boxes, we have /etc/ssh/ssh_config with the following
(assume C is the domain name of the said production machines):

Host C
ForwardAgent yes

With this setup, we were able to execute the following two commands from
an ssh session to machine B:

ssh C ls
sudo ssh somename@C ls

This was on Ubuntu Gutsy, with openssh version 1:4.6p1-5ubuntu0.5 and
sudo version 1.6.8p12-5ubuntu2.
Then we upgraded to Ubuntu Hardy, with openssh version
1:4.7p1-8ubuntu1.2 and sudo version 1.6.9p10-1ubuntu3.2.

After the upgrade, we can still do
ssh C ls

But NOT
sudo ssh somename@C ls


Should it be possible to let agent forwarding work like this "through"
sudo?
Where do we go to search for the problem?
It certainly was working before...

Thanks
- Iwan



__________________________________________________________________
Looking for the perfect gift? Give the gift of Flickr!

http://www.flickr.com/gift/



Relevant Pages

  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... if you ssh to the untrusted box, have your .ssh/identity there (no good ... > You misunderstand what agent forwarding is. ... Agent forwarding means that remote requests ...
    (FreeBSD-Security)
  • Re: [SLE] tunneling through an intermediate host
    ... >>to login to a gateway machine at work and from there I can ... The login to the ... >>gateway is via ssh. ... Admittedly I'm using passwords rather than agent forwarding but would ...
    (SuSE)
  • Re: Agent Forwarding Question for the list
    ... though it does not specify if I do or do not also have to ... activate X11 forwarding to just get agent forwarding to work, ... and ssh with -v to see why the agent isn't being used. ...
    (SSH)
  • Re: [SSHd] Increasing wait time?
    ... This works easiest with agent forwarding, ... authentication will do. ... It is also worth taking a look at the ProxyCommand option. ... ProxyCommand ssh user@xxxxxxxxxxxxxxxxx nc your.own.host 22 ...
    (freebsd-questions)
  • Re: gedit vs ssh -Y
    ... session of the ssh -Y login. ... Failed to contact configuration server; ... Failed to get connection to session: ... there is only me and sudo on those machines. ...
    (Ubuntu)