SSH – Fixing SSH Agent Forwarding Error ‘Could Not Open a Connection to Your Authentication Agent’

permissionssshssh-agent

I receive a Could not open a connection to your authentication agent error message when I attempt to connect from an intermediate server to a third server using the agent forwarding option (-A) of an OpenSSH client. The first connection to the intermediate server goes smoothly using a key loaded into ssh-agent. The error message is displayed when attempting a connection to the final server.

My OpenSSH client is set to allow forwarding with ForwardAgent yes in ~/.ssh/config, and the intermediate server has AllowAgentForwarding yes in the daemon's configuration file. The client config is not overridden by a system level file.

I'm not using a terminal multiplexer in order to avoid an error stemming from environment variables not being set. To run the agent, I use exec ssh-agent zsh and verify that both SSH_AUTH_SOCK and SSH_AGENT_PID are present in the local environment. I use ssh-add to add the private keys for the intermediate and final server, respectively; I verify they are added with ssh-add -l.

All servers are of a recent version (OpenSSH 5.3) and the client is OpenSSH 6.2.

Best Answer

I'm posting this here because I spent a lot of time trying to find a solution using Google, reading man pages, and consulting a popular book on SSH, all to no avail.

The key to finding the problem was poring over the debugging output.

debug1: Remote: Agent forwarding disabled: mkdtemp() failed: Permission denied

The intermediate machine is a virtual server (RHEL 6.4) hosted by a cloud provider that uses an AWS stack. For reasons I can't explain, this is what permissions on the /tmp directory were set to:

drwxr-x--- 19  727  727  4096 Nov 28 05:30 tmp

Grep'ing through /etc/passwd I couldn't find a user with an ID of 727.

Correcting the permissions like so solved my woes:

sudo chown 0:0 /tmp
sudo chmod 1777 /tmp

Can anyone speak to the peculiar ownership of the /tmp directory?

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Ssh – What part of SSH forwarding sets up SSH_AUTH_SOCK

On my Mac with OS 10.6.x I found that agent forwarding didn't work until I added my key to the Apple keychain, with the following:

ssh-add -K ~/.ssh/id_rsa

where ~/.ssh/id_rsa contains my private ssh key

I've a blog entry about setting up ssh host configuration entries to simplify ssh command-lines that may be of interest

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Ssh – What part of SSH forwarding sets up SSH_AUTH_SOCK

Related Topic