IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Software and Applications Forum / Er, what?
Post #371,999
by malraux
Picture of malraux
2/28/13 8:28:22 PM
Reply
New Er, what?
As described, I already:

1) put FowardAgent yes in the config file.

2) tried -A all on its own.

That's the problem: I've done all of that and it still doesn't work; that's the point of my question, and that's why I'm asking for help.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
Post #372,000
by Another Scott
2/28/13 9:14:21 PM
Reply
New Try here.
http://bridge.grumpy...hd-ssh-agent.html

http://www.dribin.or...sh_agent_leopard/

If that again addresses things that are already working, no need to reply. I'll quit.

Good luck.

Cheers,
Scott.
Post #372,007
by malraux
Picture of malraux
2/28/13 10:00:38 PM
Reply
New Thanks anyways. :-)
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
Post #372,001
by folkert
Picture of folkert
2/28/13 9:22:10 PM
Reply
New Ok.
First and foremost. Lay the ground work:

1. Your public part of your SSH key pair *MUST* be ~/.ssh/authorized_keys on all destination hosts. That file *MUST* have a perms of 0600 (-rw-------) and be owned by the user.

2. ALL Destination hosts must *NOT* disallow Forwarded Authentication. (this being a key point here, stupid as it may be, it is a choice over zealous admins use sometimes) ("PubkeyAuthentication yes" is usually default and only works with version 2 anyway)

3. You have your local workstation's ssh-agent running and loaded with your private part of your SSH key pair.

4. You must either by config (~/.ssh/config or /etc/ssh/config) have "ForwardAgent yes" on all hosts or use "ssh -A" on every attempt to want to forward from there. If you do not use "ssh -A" (or have config) on the "next" host, you will only be allowed to forward from that last host and no successive host.

example of #4: I ssh into relay host without ForwardAgent yes or with without "-A" I can not login via key-authentication. If I ssh into relay host "ssh -A relayhost" my authentication will be forwarded one additional hop to the next host or "ssh nexthost" will auto present the key-auth. If I have "ForwardAgent yes" or use "ssh -A nexthost" I can then chain another "ssh thirdhost" and be authenticated via key-auth and so on and so on.


*ALL* of these following machines have my public part of my key pair which is snipped to make it screen width friendly, otherwise it'd be over 600 characters wide:
ssh-dss AAAAB3NzaC1kc3MAAACBAKLDN [SNIP] +atgu8agE= greg@gregfolkert.net

That entry is in *EVERY* ~/.ssh/authorized_keys with a "0600" permissions (-rw-------) on that file.

Here is a "cleansed" screen scrape output. to help make it clear and show what happens if you don't use the appropriate ForwardAgent flags of config. Most of these times are "Mountain Time". 

greg@maxime:~ [0] $ ssh-add -l

1024 e2:58:eb:64:a0:37:71:09:4d:a1:1d:64:0e:9c:49:2c /home/greg/.ssh/id_dsa (DSA)

greg@maxime:~ [0] $ set | grep SSH_AUTH

SSH_AUTH_SOCK=/tmp/ssh-FCn0s4UDkB6l/agent.3125

greg@maxime:~ [0] $ ssh -A relayhost.managedby.me

Last login: Thu Feb 28 18:52:03 2013 from myhomeip.net

[greg@relayhost greg]$ set | grep SSH_AUTH

SSH_AUTH_SOCK=/tmp/ssh-qIhpM16436/agent.16436

[greg@relayhost greg]$ ssh secondhost

Last login: Thu Feb 28 18:53:05 2013 from relayhost

[greg@secondhost ~]$ set | grep SSH_AUTH

[greg@secondhost ~]$ ssh thirdhost

greg@thirdhost's password: 

Last login: Mon Dec 10 09:35:32 2012 from relayhost

[greg@thirdhost ~]$ exit

Connection to thirdhost closed.

[greg@secondhost ~]$ exit

Connection to secondhost closed.

[greg@relayhost ~]$ ssh -A secondhost

Last login: Thu Feb 28 18:59:03 2013 from relayhost

[greg@secondhost ~]$ set | grep SSH_AUTH

SSH_AUTH_SOCK=/tmp/ssh-qpaPi28302/agent.28302

[greg@secondhost ~]$ ssh thirdhost

[greg@thirdhost ~]$ set | grep SSH_AUTH

[greg@thirdhost ~]$ ssh fourthhost

greg@fourthhost's password:

(Control C out of it)

[greg@thirdhost ~]$ exit

Connection to thirdhost closed.

[greg@secondhost ~]$ ssh -A thirdhost

Last login: Thu Feb 28 19:01:49 2013 from secondhost

[greg@thirdhost ~]$ set | grep SSH_AUTH

SSH_AUTH_SOCK=/tmp/ssh-xTngh18439/agent.18439

[greg@thirdhost ~]$ ssh fourthhost

Last login: Mon Dec 10 08:22:42 2012 from relayhost

[greg@fourthhost ~]$ set | grep SSH_AUTH

[greg@fourthhost ~]$ exit

Connection to fourthhost closed.

[greg@thirdhost ~]$ exit

Connection to thirdhost closed.

[greg@secondhost ~]$ exit

Connection to secondhost closed.

[greg@relayhost greg]$ exit

Connection to relayhost.managedby.me closed.

greg@maxime:~ [0] $


--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Post #372,002
by folkert
Picture of folkert
2/28/13 9:25:41 PM
Reply
New If that doesn't help...
Yet another reason I dislike OSX.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Post #372,005
by malraux
Picture of malraux
2/28/13 9:58:02 PM
Reply
New Yes, all of those things are configured as described.
And I discovered that it works fine through non-root accounts. I can't forward through root on the remote machine.

Doesn't work:
anderson $ ssh -A root@remotehost
root[remotehost] $ ssh -T git@github.com

Does work:
anderson $ ssh -A nonroot@remotehost
root[remotehost] $ ssh -T git@github.com

So for some reason root is being blocked from forwarding, which makes no sense to me since forwarding only exposes the original client machine, not the remote.

So it's not OS X... it's Ubuntu. ;-)

Thanks anyways. Now I have to figure out how to convince Ansible to configure things via sudo instead (which it will do, but only for an entire playbook at a time, not just a single task).
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
Post #372,018
by folkert
Picture of folkert
3/1/13 12:34:30 AM
Reply
New Now... ahh ha.
More than likely they are being anal retentive about Root.

Root is a crappy thing to have to use to do automated things. It happens, but many won't/don't know how to make it available.

Probably comes down to a setup using some kind of PAM thing or perhaps "root" has a compiled in option for ssh/sshd to not allow things. There are weird options usable to restrict Root in custom compiled sources, all without config options evident.

You should see entries in the /var/log/auth.log for me...

Mar 1 00:32:57 omg sshd[30118]: Accepted publickey for root from XX.XX.XX.XX port 34837 ssh2
Mar 1 00:32:57 omg sshd[30118]: pam_unix(sshd:session): session opened for user root by (uid=0)

I'd be looking as the PAM session setup, I'm betting its there.
--
greg@gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C
Post #372,034
by malraux
Picture of malraux
3/1/13 10:23:43 AM
Reply
New Didn't find anything, but good idea. Thanks.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
     ssh agent forwarding... - (malraux) - (26) - Feb. 28, 2013, 05:35:12 PM EST
         I only know what Google tells me... - (Another Scott) - (1) - Feb. 28, 2013, 07:47:03 PM EST
             No, that's the part I have working. - (malraux) - Feb. 28, 2013, 07:52:53 PM EST
         ssh -A remotehost - (folkert) - (10) - Feb. 28, 2013, 08:17:11 PM EST
             I already said that doesn't work. :-) -NT - (malraux) - (9) - Feb. 28, 2013, 08:13:42 PM EST
                 Fine have fun... its a config issue DISALLOWING IT. - (folkert) - (8) - Feb. 28, 2013, 08:19:14 PM EST
                     Er, what? - (malraux) - (7) - Feb. 28, 2013, 08:28:22 PM EST
                         Try here. - (Another Scott) - (1) - Feb. 28, 2013, 09:14:21 PM EST
                             Thanks anyways. :-) -NT - (malraux) - Feb. 28, 2013, 10:00:38 PM EST
                         Ok. - (folkert) - (4) - Feb. 28, 2013, 09:22:10 PM EST
                             If that doesn't help... - (folkert) - Feb. 28, 2013, 09:25:41 PM EST
                             Yes, all of those things are configured as described. - (malraux) - (2) - Feb. 28, 2013, 09:58:02 PM EST
                                 Now... ahh ha. - (folkert) - (1) - March 1, 2013, 12:34:30 AM EST
                                     Didn't find anything, but good idea. Thanks. -NT - (malraux) - March 1, 2013, 10:23:43 AM EST
         root on machine1 isnt the user anderson on github -NT - (boxley) - (9) - Feb. 28, 2013, 09:57:56 PM EST
             Doesn't matter. - (malraux) - (8) - Feb. 28, 2013, 10:00:22 PM EST
                 but that isn't what you posted - (boxley) - (7) - Feb. 28, 2013, 10:08:28 PM EST
                     Re: but that isn't what you posted - (malraux) - (3) - Feb. 28, 2013, 10:15:28 PM EST
                         never heard of /etc/init/autoforward.conf - (boxley) - (2) - Feb. 28, 2013, 10:32:58 PM EST
                             That's port forwarding, isn't it? - (malraux) - (1) - Feb. 28, 2013, 11:15:54 PM EST
                                 Yes it is... - (folkert) - March 1, 2013, 12:35:49 AM EST
                     Re: but that isn't what you posted - (malraux) - (2) - Feb. 28, 2013, 10:21:27 PM EST
                         Re: but that isn't what you posted - (mvitale) - (1) - March 1, 2013, 12:13:54 AM EST
                             The problem happens before that point. - (malraux) - March 1, 2013, 10:17:26 AM EST
         Good grief, man! - (pwhysall) - (1) - March 1, 2013, 01:48:21 AM EST
             You'd think so, wouldn't you. -NT - (malraux) - March 1, 2013, 10:17:40 AM EST
         the only thing else I can think of - (boxley) - March 1, 2013, 02:49:11 PM EST

Are you willing and prepared to fully understand the state of your dinner's readiness? I can only make you the dinner... you must taste it.
85 ms