Ssh – Retain agent-forwarding in sudo

scpsshssh-agentssh-tunnelsudo

I want to be able to connect to a server, start a sudo shell, then use agent forwarding to connect to another server (in order to use SCP to copy files to a protected area). But:

ubuntu@tunnelator:/var/www$ ssh -p 10022 stevebennett@localhost
Last login: Fri Apr  5 10:54:03 2013 from localhost
~ exit
Connection to localhost closed.

ubuntu@tunnelator:/var/www$ sudo ssh -p 10022 stevebennett@localhost
Password:

Presumably, starting the sudo shell is killing the agent forwarding. The difference is this:

debug1: Offering RSA public key: id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentication succeeded (publickey).

versus:

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive

Is there a way to make this work? (The setup is roughly as described here: http://codysoyland.com/2010/jun/6/ssh-tip-automatic-reverse-tunnels-workflow-simplif/)

Best Answer

Thanks to user157963's suggestion, this turns out to be easy:

sudo -E ssh -p 10022 stevebennett@localhost

Or, to be a bit more selective, you can do this:

sudo su -l -c "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK; ssh -p 10022 stevebennett@localhost"

(Note this only works when su'ing to the root user - it needs to be able to read the original socket file.)

I had mistakenly thought that the $SSH_AUTH_SOCK environment variable was already being preserved. Tip: the following command doesn't tell you anything useful :)

sudo echo $SSH_AUTH_SOCK

Whereas this does:

sudo bash -c 'echo $SSH_AUTH_SOCK'

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Ssh – How to manage ssh keys to add a second user

You need to login using the putty on the windows machine and exit the .ssh/authorized_keys file and add the key that you generated on the mac to the file.

Do not run the command

scp -2 -P 50022 -v ~/.ssh/id_rsa.pub newuser@111.222.333.444:

That will over write the existing key on the server, and it will not work either as the server only accepts key logins.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Ssh – How to manage ssh keys to add a second user

Related Topic