IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Ok.
First and foremost. Lay the ground work:

1. Your public part of your SSH key pair *MUST* be ~/.ssh/authorized_keys on all destination hosts. That file *MUST* have a perms of 0600 (-rw-------) and be owned by the user.

2. ALL Destination hosts must *NOT* disallow Forwarded Authentication. (this being a key point here, stupid as it may be, it is a choice over zealous admins use sometimes) ("PubkeyAuthentication yes" is usually default and only works with version 2 anyway)

3. You have your local workstation's ssh-agent running and loaded with your private part of your SSH key pair.

4. You must either by config (~/.ssh/config or /etc/ssh/config) have "ForwardAgent yes" on all hosts or use "ssh -A" on every attempt to want to forward from there. If you do not use "ssh -A" (or have config) on the "next" host, you will only be allowed to forward from that last host and no successive host.

example of #4: I ssh into relay host without ForwardAgent yes or with without "-A" I can not login via key-authentication. If I ssh into relay host "ssh -A relayhost" my authentication will be forwarded one additional hop to the next host or "ssh nexthost" will auto present the key-auth. If I have "ForwardAgent yes" or use "ssh -A nexthost" I can then chain another "ssh thirdhost" and be authenticated via key-auth and so on and so on.


*ALL* of these following machines have my public part of my key pair which is snipped to make it screen width friendly, otherwise it'd be over 600 characters wide:
ssh-dss AAAAB3NzaC1kc3MAAACBAKLDN [SNIP] +atgu8agE= greg@gregfolkert.net

That entry is in *EVERY* ~/.ssh/authorized_keys with a "0600" permissions (-rw-------) on that file.

Here is a "cleansed" screen scrape output. to help make it clear and show what happens if you don't use the appropriate ForwardAgent flags of config. Most of these times are "Mountain Time".

greg@maxime:~ [0] $ ssh-add -l

1024 e2:58:eb:64:a0:37:71:09:4d:a1:1d:64:0e:9c:49:2c /home/greg/.ssh/id_dsa (DSA)
greg@maxime:~ [0] $ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-FCn0s4UDkB6l/agent.3125
greg@maxime:~ [0] $ ssh -A relayhost.managedby.me
Last login: Thu Feb 28 18:52:03 2013 from myhomeip.net
[greg@relayhost greg]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-qIhpM16436/agent.16436
[greg@relayhost greg]$ ssh secondhost
Last login: Thu Feb 28 18:53:05 2013 from relayhost
[greg@secondhost ~]$ set | grep SSH_AUTH
[greg@secondhost ~]$ ssh thirdhost
greg@thirdhost's password:
Last login: Mon Dec 10 09:35:32 2012 from relayhost
[greg@thirdhost ~]$ exit
Connection to thirdhost closed.
[greg@secondhost ~]$ exit
Connection to secondhost closed.
[greg@relayhost ~]$ ssh -A secondhost
Last login: Thu Feb 28 18:59:03 2013 from relayhost
[greg@secondhost ~]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-qpaPi28302/agent.28302
[greg@secondhost ~]$ ssh thirdhost
[greg@thirdhost ~]$ set | grep SSH_AUTH
[greg@thirdhost ~]$ ssh fourthhost
greg@fourthhost's password:
(Control C out of it)
[greg@thirdhost ~]$ exit
Connection to thirdhost closed.
[greg@secondhost ~]$ ssh -A thirdhost
Last login: Thu Feb 28 19:01:49 2013 from secondhost
[greg@thirdhost ~]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-xTngh18439/agent.18439
[greg@thirdhost ~]$ ssh fourthhost
Last login: Mon Dec 10 08:22:42 2012 from relayhost
[greg@fourthhost ~]$ set | grep SSH_AUTH
[greg@fourthhost ~]$ exit
Connection to fourthhost closed.
[greg@thirdhost ~]$ exit
Connection to thirdhost closed.
[greg@secondhost ~]$ exit
Connection to secondhost closed.
[greg@relayhost greg]$ exit
Connection to relayhost.managedby.me closed.
greg@maxime:~ [0] $


--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
New If that doesn't help...
Yet another reason I dislike OSX.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
New Yes, all of those things are configured as described.
And I discovered that it works fine through non-root accounts. I can't forward through root on the remote machine.

Doesn't work:
anderson $ ssh -A root@remotehost
root[remotehost] $ ssh -T git@github.com


Does work:
anderson $ ssh -A nonroot@remotehost
root[remotehost] $ ssh -T git@github.com


So for some reason root is being blocked from forwarding, which makes no sense to me since forwarding only exposes the original client machine, not the remote.

So it's not OS X... it's Ubuntu. ;-)

Thanks anyways. Now I have to figure out how to convince Ansible to configure things via sudo instead (which it will do, but only for an entire playbook at a time, not just a single task).
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
New Now... ahh ha.
More than likely they are being anal retentive about Root.

Root is a crappy thing to have to use to do automated things. It happens, but many won't/don't know how to make it available.

Probably comes down to a setup using some kind of PAM thing or perhaps "root" has a compiled in option for ssh/sshd to not allow things. There are weird options usable to restrict Root in custom compiled sources, all without config options evident.

You should see entries in the /var/log/auth.log for me...

Mar 1 00:32:57 omg sshd[30118]: Accepted publickey for root from XX.XX.XX.XX port 34837 ssh2
Mar 1 00:32:57 omg sshd[30118]: pam_unix(sshd:session): session opened for user root by (uid=0)


I'd be looking as the PAM session setup, I'm betting its there.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
New Didn't find anything, but good idea. Thanks.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
     ssh agent forwarding... - (malraux) - (26)
         I only know what Google tells me... - (Another Scott) - (1)
             No, that's the part I have working. - (malraux)
         ssh -A remotehost - (folkert) - (10)
             I already said that doesn't work. :-) -NT - (malraux) - (9)
                 Fine have fun... its a config issue DISALLOWING IT. - (folkert) - (8)
                     Er, what? - (malraux) - (7)
                         Try here. - (Another Scott) - (1)
                             Thanks anyways. :-) -NT - (malraux)
                         Ok. - (folkert) - (4)
                             If that doesn't help... - (folkert)
                             Yes, all of those things are configured as described. - (malraux) - (2)
                                 Now... ahh ha. - (folkert) - (1)
                                     Didn't find anything, but good idea. Thanks. -NT - (malraux)
         root on machine1 isnt the user anderson on github -NT - (boxley) - (9)
             Doesn't matter. - (malraux) - (8)
                 but that isn't what you posted - (boxley) - (7)
                     Re: but that isn't what you posted - (malraux) - (3)
                         never heard of /etc/init/autoforward.conf - (boxley) - (2)
                             That's port forwarding, isn't it? - (malraux) - (1)
                                 Yes it is... - (folkert)
                     Re: but that isn't what you posted - (malraux) - (2)
                         Re: but that isn't what you posted - (mvitale) - (1)
                             The problem happens before that point. - (malraux)
         Good grief, man! - (pwhysall) - (1)
             You'd think so, wouldn't you. -NT - (malraux)
         the only thing else I can think of - (boxley)

Behold the power of cheese.
103 ms