Post #371,986
2/28/13 5:35:12 PM
|
ssh agent forwarding...
This is driving me nuts.
Local machine (OSX) has ForwardAgent yes in the ~/.ssh/config file:
Host remotehost
ForwardAgent yes
Local machine does not override this setting in /etc/ssh/ssh_config.
Host *
SendEnv LANG LC_*
# ForwardAgent no
Local machine is running ssh-agent:
anderson$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-L0iFZ891Gv/agent.75083; export SSH_AUTH_SOCK;
SSH_AGENT_PID=75084; export SSH_AGENT_PID;
echo Agent pid 75084;
ssh-add has been performed on the key:
anderson$ ssh-add
Identity added: /Users/anderson/.ssh/id_rsa (/Users/anderson/.ssh/id_rsa)
$SSH_AUTH_SOCK is there:
anderson$ echo $SSH_AUTH_SOCK
/tmp/launch-pg2gVc/Listeners
ssh key has been uploaded to GitHub and is working:
anderson$ ssh -T git@github.com
Hi [elided]! You've successfully authenticated, but GitHub does not provide shell access.
ssh key has been uploaded to remote machine and works:
anderson$ ssh root@remotehost
[root@host1 ~]#
AllowAgentForwarding is configured on the remote machine:
[root@host1 ~]# head /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
AllowAgentForwarding yes
And here's where it goes pear-shaped: SSH_AUTH_SOCK is nowhere to be found:
[root@host1 ~]# !echo
echo $SSH_AUTH_SOCK
*crickets*
And of course key forwarding is nowhere to be found as well:
[root@host1 ~]# ssh -T git@github.com
Permission denied (publickey).
Can anyone point this poor developer in the way of system administerly godliness?
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #371,992
2/28/13 7:47:03 PM
|
I only know what Google tells me...
Does this help? See the first reply.
http://superuser.com...e-every-time-on-m
Good luck.
Cheers,
Scott.
|
Post #371,993
2/28/13 7:52:53 PM
|
No, that's the part I have working.
It's the forwarding once I hit the server and try to ssh to another server that isn't working. Thanks, though.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #371,994
2/28/13 8:04:28 PM
2/28/13 8:17:11 PM
|
ssh -A remotehost
More to the point, I don;t want X forwarding ever when I call this script: greg@maxime:~ [0] $ cat `which sshw`
#!/bin/bash
ssh -x -A -t somehost.managed.me myssh -x -A $*
and the "myssh" is a shell script I have to use to track my logins to other machines, via "logger" so I can put my login history together for our PCI Compliance idiots.
And BTW, if I do: ssh -A somehost.managed.me here is the resultant:
[greg@somehost greg]$ set | grep SSH_AUTH_SOCK
SSH_AUTH_SOCK=/tmp/ssh-LcdmO15950/agent.15950
I can then do this: [greg@somehost greg]$ ssh anotherhost
Last login: Wed Feb 20 04:59:37 2013 from somehost.managed.me
[greg@anotherhost ~]$
If you include the "-A" on every ssh after that you can chain until your hearts galore.
Also, to make it AUTOMAGIC from your workstation you have to edit /etc/ssh/ssh_config or your ~/.ssh/config in the "*" section to contain:
ForwardAgent yes
Cheers! --
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Edited by folkert
Feb. 28, 2013, 08:06:20 PM EST
Edited by folkert
Feb. 28, 2013, 08:07:17 PM EST
Edited by folkert
Feb. 28, 2013, 08:10:15 PM EST
Edited by folkert
Feb. 28, 2013, 08:17:11 PM EST
|
Post #371,996
2/28/13 8:13:42 PM
|
I already said that doesn't work. :-)
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #371,997
2/28/13 8:18:30 PM
2/28/13 8:19:14 PM
|
Fine have fun... its a config issue DISALLOWING IT.
You are on your own.
I know how it work. You can;t get it to work. Obviously You'll get it figured out without any help.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Edited by folkert
Feb. 28, 2013, 08:19:14 PM EST
|
Post #371,999
2/28/13 8:28:22 PM
|
Er, what?
As described, I already:
1) put FowardAgent yes in the config file.
2) tried -A all on its own.
That's the problem: I've done all of that and it still doesn't work; that's the point of my question, and that's why I'm asking for help.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,000
2/28/13 9:14:21 PM
|
Try here.
http://bridge.grumpy...hd-ssh-agent.html
http://www.dribin.or...sh_agent_leopard/
If that again addresses things that are already working, no need to reply. I'll quit.
Good luck.
Cheers,
Scott.
|
Post #372,007
2/28/13 10:00:38 PM
|
Thanks anyways. :-)
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,001
2/28/13 9:22:10 PM
|
Ok.
First and foremost. Lay the ground work:
1. Your public part of your SSH key pair *MUST* be ~/.ssh/authorized_keys on all destination hosts. That file *MUST* have a perms of 0600 (-rw-------) and be owned by the user.
2. ALL Destination hosts must *NOT* disallow Forwarded Authentication. (this being a key point here, stupid as it may be, it is a choice over zealous admins use sometimes) ("PubkeyAuthentication yes" is usually default and only works with version 2 anyway)
3. You have your local workstation's ssh-agent running and loaded with your private part of your SSH key pair.
4. You must either by config (~/.ssh/config or /etc/ssh/config) have "ForwardAgent yes" on all hosts or use "ssh -A" on every attempt to want to forward from there. If you do not use "ssh -A" (or have config) on the "next" host, you will only be allowed to forward from that last host and no successive host.
example of #4: I ssh into relay host without ForwardAgent yes or with without "-A" I can not login via key-authentication. If I ssh into relay host "ssh -A relayhost" my authentication will be forwarded one additional hop to the next host or "ssh nexthost" will auto present the key-auth. If I have "ForwardAgent yes" or use "ssh -A nexthost" I can then chain another "ssh thirdhost" and be authenticated via key-auth and so on and so on.
*ALL* of these following machines have my public part of my key pair which is snipped to make it screen width friendly, otherwise it'd be over 600 characters wide:
ssh-dss AAAAB3NzaC1kc3MAAACBAKLDN [SNIP] +atgu8agE= greg@gregfolkert.net
That entry is in *EVERY* ~/.ssh/authorized_keys with a "0600" permissions (-rw-------) on that file.
Here is a "cleansed" screen scrape output. to help make it clear and show what happens if you don't use the appropriate ForwardAgent flags of config. Most of these times are "Mountain Time".
greg@maxime:~ [0] $ ssh-add -l
1024 e2:58:eb:64:a0:37:71:09:4d:a1:1d:64:0e:9c:49:2c /home/greg/.ssh/id_dsa (DSA)
greg@maxime:~ [0] $ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-FCn0s4UDkB6l/agent.3125
greg@maxime:~ [0] $ ssh -A relayhost.managedby.me
Last login: Thu Feb 28 18:52:03 2013 from myhomeip.net
[greg@relayhost greg]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-qIhpM16436/agent.16436
[greg@relayhost greg]$ ssh secondhost
Last login: Thu Feb 28 18:53:05 2013 from relayhost
[greg@secondhost ~]$ set | grep SSH_AUTH
[greg@secondhost ~]$ ssh thirdhost
greg@thirdhost's password:
Last login: Mon Dec 10 09:35:32 2012 from relayhost
[greg@thirdhost ~]$ exit
Connection to thirdhost closed.
[greg@secondhost ~]$ exit
Connection to secondhost closed.
[greg@relayhost ~]$ ssh -A secondhost
Last login: Thu Feb 28 18:59:03 2013 from relayhost
[greg@secondhost ~]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-qpaPi28302/agent.28302
[greg@secondhost ~]$ ssh thirdhost
[greg@thirdhost ~]$ set | grep SSH_AUTH
[greg@thirdhost ~]$ ssh fourthhost
greg@fourthhost's password:
(Control C out of it)
[greg@thirdhost ~]$ exit
Connection to thirdhost closed.
[greg@secondhost ~]$ ssh -A thirdhost
Last login: Thu Feb 28 19:01:49 2013 from secondhost
[greg@thirdhost ~]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-xTngh18439/agent.18439
[greg@thirdhost ~]$ ssh fourthhost
Last login: Mon Dec 10 08:22:42 2012 from relayhost
[greg@fourthhost ~]$ set | grep SSH_AUTH
[greg@fourthhost ~]$ exit
Connection to fourthhost closed.
[greg@thirdhost ~]$ exit
Connection to thirdhost closed.
[greg@secondhost ~]$ exit
Connection to secondhost closed.
[greg@relayhost greg]$ exit
Connection to relayhost.managedby.me closed.
greg@maxime:~ [0] $
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
|
Post #372,002
2/28/13 9:25:41 PM
|
If that doesn't help...
Yet another reason I dislike OSX.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
|
Post #372,005
2/28/13 9:58:02 PM
|
Yes, all of those things are configured as described.
And I discovered that it works fine through non-root accounts. I can't forward through root on the remote machine.
Doesn't work:
anderson $ ssh -A root@remotehost
root[remotehost] $ ssh -T git@github.com
Does work:
anderson $ ssh -A nonroot@remotehost
root[remotehost] $ ssh -T git@github.com
So for some reason root is being blocked from forwarding, which makes no sense to me since forwarding only exposes the original client machine, not the remote.
So it's not OS X... it's Ubuntu. ;-)
Thanks anyways. Now I have to figure out how to convince Ansible to configure things via sudo instead (which it will do, but only for an entire playbook at a time, not just a single task).
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,018
3/1/13 12:34:30 AM
|
Now... ahh ha.
More than likely they are being anal retentive about Root.
Root is a crappy thing to have to use to do automated things. It happens, but many won't/don't know how to make it available.
Probably comes down to a setup using some kind of PAM thing or perhaps "root" has a compiled in option for ssh/sshd to not allow things. There are weird options usable to restrict Root in custom compiled sources, all without config options evident.
You should see entries in the /var/log/auth.log for me...
Mar 1 00:32:57 omg sshd[30118]: Accepted publickey for root from XX.XX.XX.XX port 34837 ssh2
Mar 1 00:32:57 omg sshd[30118]: pam_unix(sshd:session): session opened for user root by (uid=0)
I'd be looking as the PAM session setup, I'm betting its there.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
|
Post #372,034
3/1/13 10:23:43 AM
|
Didn't find anything, but good idea. Thanks.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,004
2/28/13 9:57:56 PM
|
root on machine1 isnt the user anderson on github
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 57 years. meep
|
Post #372,006
2/28/13 10:00:22 PM
|
Doesn't matter.
GitHub ties an SSH key to a single account only.
anderson@client -> root@remote -> anderson's-ssh-key@github.com
If forwarding is working, that would work. But I can't even get that far because Ubuntu is blocking forwarding as root.
anderson@client -> nonroot@remote -> anderson's-ssh-key@github.com works fine.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,008
2/28/13 10:08:28 PM
|
but that isn't what you posted
And of course key forwarding is nowhere to be found as well:
[root@host1 ~]# ssh -T git@github.com
Permission denied (publickey).
if you are root and try to ssh to git@github.com and forcing no terminal github will see the request as user root@host1 not anderson
try
[root@host1 ~]# ssh -vv -T git@github.com
and see what it is actually doing
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 57 years. meep
|
Post #372,009
2/28/13 10:15:28 PM
|
Re: but that isn't what you posted
If I put the private key in root's .ssh directory, the ssh to github.com works. That's not the issue.
When using forwarding the actual user should be immaterial. The problem is that the Ubuntu server is refusing to turn on forwarding when connecting as root.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,012
2/28/13 10:32:58 PM
|
never heard of /etc/init/autoforward.conf
Service Setup (Ubuntu)
Under current Ubuntu (10.04) you can create an Upstart job to run the setup script:
$ cat /etc/init/autoforward.conf
# autoforward - automatic SSH forwarding
description "automatic SSH forwarding"
start on runlevel [2345]
stop on runlevel [!2345]
respawn
exec /usr/local/bin/setup-ssh-forwards
It should not be executable. You can start it as follows:
$ sudo initctl start autoforward
autoforward start/running, process 11590
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 57 years. meep
|
Post #372,015
2/28/13 11:15:54 PM
|
That's port forwarding, isn't it?
I'm doing agent forwarding.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,019
3/1/13 12:35:49 AM
|
Yes it is...
I use a different programs for that stuff... "autossh"
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
|
Post #372,010
2/28/13 10:21:27 PM
|
Re: but that isn't what you posted
anderson$ ssh nonroot@remotehost
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-15-server x86_64)
[...]
Last login: Thu Feb 28 22:17:29 2013 from [elided]
nonroot@host1:~$ ssh -T git@github.com
Hi [elided]! You've successfully authenticated, but GitHub does not provide shell access.
As compared to:
anderson$ ssh root@remotehost
Last login: Thu Feb 28 22:16:36 2013 from [elided]
[root@host1 ~]# ssh -T git@github.com
Permission denied (publickey).
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,017
3/1/13 12:13:54 AM
|
Re: but that isn't what you posted
Instead of:
[root@host1 ~]# ssh -T git@github.com
Try:
[root@host1 ~]# ssh -vvv -T git@github.com and look at the error messages.
-Mike
@MikeVitale42
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #372,032
3/1/13 10:17:26 AM
|
The problem happens before that point.
There's no SSH_AUTH_SOCK available.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,022
3/1/13 1:48:21 AM
|
Good grief, man!
Now you're a wealth creator, don't you have people to do this sort of thing for you?
|
Post #372,033
3/1/13 10:17:40 AM
|
You'd think so, wouldn't you.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #372,038
3/1/13 2:49:11 PM
|
the only thing else I can think of
is there a path available to regularuser that root doesnt know about?
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 57 years. meep
|
