Linux – SSH ForwardAgent multiple hops

linuxsshssh-agentssh-keys

I've been looking for a solution to the following problem for the past 2 hours with no luck.

Development:

I'm using publickey authentication to connect to my servers. I use ssh-agent forwarding in order to not have to manage public/privates keys.

Let's say I have servers A, B and C.

This works very well if I connect from LOCAL ---> A ---> B.

It also works very well if I do LOCAL ---> A ---> C.

Now, if I try LOCAL ---> A ---> B ---> C, SSH can't connect from B to C.

Worth noting: I connect to server A as liquidity, whereas I connect to server B as root. Connecting to server B as liquidity fixes the problem, but this is not an option for me.

As per the recommendation of a user, I use ssh -A each time to make sure that agent forwarding is enabled.

I found one similar question, with no answer here: Is it possible to chain ssh-agent forwarding through multiple hops?

According to @Zoredache here: https://serverfault.com/a/561576/45671 I just need to adjust my client configuration on each intermediate system. Which I believe I did.

Best Answer

To have agent forwarding work through multiple hops you simply to need adjust your client configuration on each intermediate system so that agent forwarding.

It could be as simply as making sure your /etc/ssh/ssh_config has this configured. But if you have per-client configs in ~/.ssh/config you may need to adjust those settings as well.

Host *
    ForwardAgent yes

You can see if agent forwarding happened or if there was an errorif you just add the -v option.

$ ssh -v issc@server1
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/zoredache/.ssh/config
...
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
Linux server1 3.11-0.bpo.2-amd64 #1 SMP Debian 3.11.8-1~bpo70+1 (2013-11-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 15 20:39:44 2013 from 10.2.4.243
issc@server1:~$

Also verify you have a valid environment variable set.

issc@server1:~$ export | grep SSH_AUTH
declare -x SSH_AUTH_SOCK="/tmp/ssh-7VejOmKtNv/agent.57943"

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

I needed to have rw for user only permissions on config. This fixed it.

chmod 600 ~/.ssh/config

As others have noted below, it could be the file owner. (upvote them!)

chown $USER ~/.ssh/config

If your whole folder has invalid permissions here's a table of possible permissions:

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Sources:

openssh check-perm.c
openssh readconf.c
openssh ssh_user_config fix_authorized_keys_perms

Ssh – How to enable key forwarding with ssh-agent

Make sure AllowAgentForwarding is set to yes on the servers (sshd_config).

My guess is you are missing that.

Also forwarding is only on openssh 5.1+ So make sure you are running a valid version

Best Answer

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

Ssh – How to enable key forwarding with ssh-agent

Related Topic