Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] ssh-agent not being magical enough [Josh: C&C for toshiyori]



Back on May 27th Stephen Turnbull replied to this:
>  > But, now I want to do that deliberately on a remote server and it won't
>  > work! What I want is:
>  >   $ ssh first
>  >   [first]$ scp abc second:~
>  >    --> prompt for the key passphrase [2]
>  >   [first]$ scp abc second:~
>  >    --> used saved passphrase
> 
> Are you sure that's what you want?
> ...

Thanks Stephen (and Christian). You were right, that wasn't what I
wanted. I've just had chance to try your suggestion and it turned out to
be easy. I had this section in my ~/.ssh/config file (on my notebook)
and just had to add the last line:

Host first
        User darren
        Hostname 1.2.3.4
        Port 98765
        HostKeyAlias xxx_first
        ForwardAgent yes

I didn't need to touch sshd config on any machine as it appears
AllowAgentForwarding is on by default in most installations.

Darren

P.S. I didn't fully understand the security consequences, so only added
the ForwardAgent line for the set of hosts where I currently need this
functionality. (These are all machines where I had been willing to
install my private key, so I assume ForwardAgent cannot be more insecure
than that ;-)

P.P.S. I've kept Stephen's explanation in below. There is also a
graphical explanation of the magic involved here:
  http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd


> The usual configuration is like this (see also Christian's very
> similar post, but I didn't fully understand it so I'm writing in my
> own style here):
> 
> localhost:
>     ssh-agent (background)
>         This is your active ssh-agent.  It actually knows your keys.
>     ssh
>         You know what this is for.
>         You need to enable "AgentForwarding" either in .ssh/config or
>         from the command line with "-A".
> 
> first:
>     ssh-agent (background)
>         I'm not sure you actually need it, but you may.  It doesn't
>         need to know about identities.  If it has any role, it is
>         forwarding authentication traffic between ssh-agent on
>         localhost (which knows the keys) and the sshd on second.
>     sshd
>         Must have agent-forwarding option enabled (see
>         no-agent-forwarding in the sshd man page).  Dunno if you can
>         do this.  agent-forwarding is considered a security risk (see
>         ssh man page near the top).
>     ssh
>         Just do it.  Caveat, if you ever ssh from second, you may want
>         AgentForwarding enabled here.
> 
> second:
>     sshd
>         Must be running, of course.  If you want to use agent
>         forwarding from here, configure like "first".
>     ssh-agent, ssh
>         If you ssh from "second", see configuration for "first".
> 
> 
> The only reason I can think of to *not* use this configuration is if
> you share an SSH key with a user actually based on "first" (who's on
> first, anyway??), but sharing keys is also normally frowned on.


-- 
Darren Cook, Software Researcher/Developer

http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links