You are not logged in.
OK, so I *thought* I understood SSH Keys and Agents fairly well, but apparently not....
I keep my /home/ dotfiles in a private git repo -- including my SSH Public and Private Keys. I just tried splitting my SSH *Private* keys into their own repo so they don't get copied to every server I have an account on, only my desktops/laptops etc.
My understanding was that the key challenge would be forwarded back through the chain to the SSH Agent running on my Desktop/Laptop. For example
Desktop -> ServerA -> ServerB
When I try to login to ServerB from ServerA, the challenge would be sent from ServerB to ServerA, which would then Forward it to Desktop who would then answer the challenge and send it back along the chain.
However this doesn't seem to be the case.
After making the changes, I could make the connection from Desktop to any of the 11 servers I changed, however I couldn't make the second hop from Server "A" to Server "B". I kept getting Permission Denied. After much testing and trialling, it seems that ServerA must have a copy of my *Public* key to be able to make the hop.
WTF?
In my .ssh/ directory, I have 5 id_rsa key files (and their corresponding .pub files). I have symlinks from ssh-key.<name> to the respective Public key, where <name> is a descriptive name for the key. My .ssh/config has "IdentityFile" for my various servers pointing to this symlink, which means I am using my Public key for the IdentityFile (Yes, this is in direct contradiction to all the docs I've read about IdentityFile!!). I tried removing the "ItentityFile" directives, and explicitly pointing to the private key on the command line using -i but nothing would connect using the key until I supplied the Public key on ServerA.
So I repeat, WTF?! I'm about as confused as a baby in a strip show at the moment
Last edited by fukawi2 (2011-01-27 09:57:35)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
serverA doesn't need to have a copy of your keys. Just be sure that on Desktop the keys are in ssh-agent and that you got only one ssh-agent running and it has the exact pid as env | grep SH_AGENT_PID. Also(i think is understood) that you need to connect on serverA with ssh -A serverA
Give what you have. To someone, it may be better than you dare to think.
Offline
serverA doesn't need to have a copy of your keys.
That was my understanding.... However not my experience....
Just be sure that on Desktop the keys are in ssh-agent and that you got only one ssh-agent running and it has the exact pid as env | grep SH_AGENT_PID.
Part of my debugging involved killing ssh-agent, but it doesn't seem to have worked:
/home/fukawi2 $ env | grep SSH
SSH_AGENT_PID=4454
SSH_AUTH_SOCK=/tmp/keyring-Czj58R/ssh
/home/fukawi2 $ ps | grep agent
4454 fukawi2 0 0.0 0.0 ? Zs 00:00:01 [ssh-agent] <defunct>
4530 fukawi2 0 0.0 0.1 ? Sl 00:00:00 /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1
18246 fukawi2 0 0.0 0.0 ? Ss 00:00:00 ssh-agent
18816 fukawi2 0 0.0 0.0 pts/0 S+ 00:00:00 grep agent
And yet it IS working now
/home/fukawi2 $ ssh platypus
Last login: Thu Jan 27 20:47:13 2011 from xxxxxxxxxxxxxxxxxxxxxxx
INFO: Loaded Local file: '/etc/bash.bashrc'
platypus ~ $ ssh seshet
Linux seshet 2.6.26-2-xen-686 #1 SMP Sun Nov 21 01:58:51 UTC 2010 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 27 22:48:50 2011 from xxxxxxxxxxxxxxxxxxxx
INFO: Loaded Local file: '/etc/bash.bashrc'
seshet ~ $
Also(i think is understood) that you need to connect on serverA with ssh -A serverA
I have ForwardAgent set in .ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
VerifyHostKeyDNS yes
ForwardAgent yes
IdentitiesOnly yes
Last edited by fukawi2 (2011-01-27 10:38:36)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
SSH_AGENT_PID=4454
18246 fukawi2 0 0.0 0.0 ? Ss 00:00:00 ssh-agent
doesn't seem right to me. the env is pointing to a dead ssh-agent
Give what you have. To someone, it may be better than you dare to think.
Offline
doesn't seem right to me. the env is pointing to a dead ssh-agent
That's my point... My whole understanding of SSH Keys and Agents is being turned upside down
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Double check that the machine you're sshing into has
AllowAgentForwarding yes
in /etc/ssh/sshd_config.
Offline
Yep, that's set.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline