SSH Keys and Agent -- Forwarding Required Public Key?

fukawi2 · 2011-01-27 09:57:06

OK, so I *thought* I understood SSH Keys and Agents fairly well, but apparently not....

I keep my /home/ dotfiles in a private git repo -- including my SSH Public and Private Keys. I just tried splitting my SSH *Private* keys into their own repo so they don't get copied to every server I have an account on, only my desktops/laptops etc.

My understanding was that the key challenge would be forwarded back through the chain to the SSH Agent running on my Desktop/Laptop. For example

Desktop -> ServerA -> ServerB

When I try to login to ServerB from ServerA, the challenge would be sent from ServerB to ServerA, which would then Forward it to Desktop who would then answer the challenge and send it back along the chain.

However this doesn't seem to be the case.

After making the changes, I could make the connection from Desktop to any of the 11 servers I changed, however I couldn't make the second hop from Server "A" to Server "B". I kept getting Permission Denied. After much testing and trialling, it seems that ServerA must have a copy of my *Public* key to be able to make the hop.

WTF?

In my .ssh/ directory, I have 5 id_rsa key files (and their corresponding .pub files). I have symlinks from ssh-key.<name> to the respective Public key, where <name> is a descriptive name for the key. My .ssh/config has "IdentityFile" for my various servers pointing to this symlink, which means I am using my Public key for the IdentityFile (Yes, this is in direct contradiction to all the docs I've read about IdentityFile!!). I tried removing the "ItentityFile" directives, and explicitly pointing to the private key on the command line using -i but nothing would connect using the key until I supplied the Public key on ServerA.

So I repeat, WTF?! I'm about as confused as a baby in a strip show at the moment

Last edited by fukawi2 (2011-01-27 09:57:35)

wonder · 2011-01-27 10:18:40

serverA doesn't need to have a copy of your keys. Just be sure that on Desktop the keys are in ssh-agent and that you got only one ssh-agent running and it has the exact pid as env | grep SH_AGENT_PID. Also(i think is understood) that you need to connect on serverA with ssh -A serverA

fukawi2 · 2011-01-27 10:37:32

wonder wrote:

serverA doesn't need to have a copy of your keys.

That was my understanding.... However not my experience....

wonder wrote:

Just be sure that on Desktop the keys are in ssh-agent and that you got only one ssh-agent running and it has the exact pid as env | grep SH_AGENT_PID.

Part of my debugging involved killing ssh-agent, but it doesn't seem to have worked:

/home/fukawi2 $ env | grep SSH
SSH_AGENT_PID=4454
SSH_AUTH_SOCK=/tmp/keyring-Czj58R/ssh
/home/fukawi2 $ ps | grep agent
 4454 fukawi2    0  0.0  0.0 ?        Zs   00:00:01 [ssh-agent] <defunct>
 4530 fukawi2    0  0.0  0.1 ?        Sl   00:00:00 /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1
18246 fukawi2    0  0.0  0.0 ?        Ss   00:00:00 ssh-agent
18816 fukawi2    0  0.0  0.0 pts/0    S+   00:00:00 grep agent

And yet it IS working now

/home/fukawi2 $ ssh platypus
Last login: Thu Jan 27 20:47:13 2011 from xxxxxxxxxxxxxxxxxxxxxxx
INFO: Loaded Local file: '/etc/bash.bashrc'
platypus ~ $ ssh seshet
Linux seshet 2.6.26-2-xen-686 #1 SMP Sun Nov 21 01:58:51 UTC 2010 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 27 22:48:50 2011 from xxxxxxxxxxxxxxxxxxxx
INFO: Loaded Local file: '/etc/bash.bashrc'
seshet ~ $

wonder wrote:

Also(i think is understood) that you need to connect on serverA with ssh -A serverA

I have ForwardAgent set in .ssh/config

Host *
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p
    VerifyHostKeyDNS yes
    ForwardAgent yes
    IdentitiesOnly yes

Last edited by fukawi2 (2011-01-27 10:38:36)

wonder · 2011-01-27 10:42:26

SSH_AGENT_PID=4454

18246 fukawi2 0 0.0 0.0 ? Ss 00:00:00 ssh-agent

doesn't seem right to me. the env is pointing to a dead ssh-agent

fukawi2 · 2011-01-27 22:04:27

wonder wrote:

doesn't seem right to me. the env is pointing to a dead ssh-agent

That's my point... My whole understanding of SSH Keys and Agents is being turned upside down

rowdog · 2011-01-28 07:02:08

Double check that the machine you're sshing into has

AllowAgentForwarding yes

in /etc/ssh/sshd_config.

fukawi2 · 2011-01-28 10:50:55

Yep, that's set.

Arch Linux

#1 2011-01-27 09:57:06

SSH Keys and Agent -- Forwarding Required Public Key?

#2 2011-01-27 10:18:40

Re: SSH Keys and Agent -- Forwarding Required Public Key?

#3 2011-01-27 10:37:32

Re: SSH Keys and Agent -- Forwarding Required Public Key?

#4 2011-01-27 10:42:26

Re: SSH Keys and Agent -- Forwarding Required Public Key?

#5 2011-01-27 22:04:27

Re: SSH Keys and Agent -- Forwarding Required Public Key?

#6 2011-01-28 07:02:08

Re: SSH Keys and Agent -- Forwarding Required Public Key?

#7 2011-01-28 10:50:55

Re: SSH Keys and Agent -- Forwarding Required Public Key?

Board footer