ssh gotcha--was: Why my script starts working when I try to debug it?

Profjim · 2009-08-20 13:14:17

I came across a strange ssh gotcha while debugging a script that sets up an ssh tunnel. It's a complex script, I won't bother with the details.

Here's the relevant ssh command, run on the client to set up a tunnel from the server back to it.

ssh -o "ExitOnForwardFailure=yes" -o "ServerAliveInterval=30" -o "PermitLocalCommand=yes" -o "LocalCommand=touch $TUN_SSH_READY" -i /root/.ssh/id_rsa_tunnel -b "$addr" -R "$SERVERPORT":localhost:"$LOCALPORT" -N -l root "$SERVER"

Everything was working for a week or so, now it suddenly didn't. Restarting sshd on both machines didn't help. The bottom line was, there seemed to be two problems:

1. Although I had

-o "PermitLocalCommand=yes" -o "LocalCommand=blahblah"

specified on the command line, this seemed suddenly to have stopped working. This problem disappeared during debugging. I never did figure out why it was happening. Maybe it's connected to problem 2.

2. Turns out that I had ssh-agent running, and loaded in it was a different ssh key for root@server. (The keys are restricted in what commands they can run, so different keys for different purposes.) And ssh was using this key from ssh-agent instead of the key I specified on the command line with

-i /root/.ssh/id_rsa_tunnel

Huh, I would have expected the command line to override ssh-agent, but apparently not. I've read up on ssh pretty well, but this surprised me. Once I knew what to look for, though, I was able to find other reports of it, such as here. I had noticed discussion of multiple identities in the man pages, but I hadn't understood that ssh_agent could usurp the command line.

Solution was to add

-o "IdentitiesOnly=yes"

to my ssh command, then ssh-agent is ignored.

Last edited by Profjim (2009-08-20 13:18:36)

Profjim · 2009-08-20 13:15:34

[whoops, I hit quote instead of edit. can't make this second post disappear.]

Last edited by Profjim (2009-08-20 13:19:24)

Arch Linux

#1 2009-08-20 13:14:17

ssh gotcha--was: Why my script starts working when I try to debug it?

#2 2009-08-20 13:15:34

Re: ssh gotcha--was: Why my script starts working when I try to debug it?

Board footer