You are not logged in.
I came across a strange ssh gotcha while debugging a script that sets up an ssh tunnel. It's a complex script, I won't bother with the details.
Here's the relevant ssh command, run on the client to set up a tunnel from the server back to it.
ssh -o "ExitOnForwardFailure=yes" -o "ServerAliveInterval=30" -o "PermitLocalCommand=yes" -o "LocalCommand=touch $TUN_SSH_READY" -i /root/.ssh/id_rsa_tunnel -b "$addr" -R "$SERVERPORT":localhost:"$LOCALPORT" -N -l root "$SERVER"
Everything was working for a week or so, now it suddenly didn't. Restarting sshd on both machines didn't help. The bottom line was, there seemed to be two problems:
1. Although I had
-o "PermitLocalCommand=yes" -o "LocalCommand=blahblah"
specified on the command line, this seemed suddenly to have stopped working. This problem disappeared during debugging. I never did figure out why it was happening. Maybe it's connected to problem 2.
2. Turns out that I had ssh-agent running, and loaded in it was a different ssh key for root@server. (The keys are restricted in what commands they can run, so different keys for different purposes.) And ssh was using this key from ssh-agent instead of the key I specified on the command line with
-i /root/.ssh/id_rsa_tunnel
Huh, I would have expected the command line to override ssh-agent, but apparently not. I've read up on ssh pretty well, but this surprised me. Once I knew what to look for, though, I was able to find other reports of it, such as here. I had noticed discussion of multiple identities in the man pages, but I hadn't understood that ssh_agent could usurp the command line.
Solution was to add
-o "IdentitiesOnly=yes"
to my ssh command, then ssh-agent is ignored.
Last edited by Profjim (2009-08-20 13:18:36)
Offline
[whoops, I hit quote instead of edit. can't make this second post disappear.]
Last edited by Profjim (2009-08-20 13:19:24)
Offline