SSH Agent Forwarding – Using with Windows Host, Vagrant Ubuntu Guest, and Keeagent

sshssh-agentvagrantvirtualboxvirtualization

Intent: To be able to deploy to lan-example.com from any dev environment; whether it be directly from the virtual OS, or any single-OS system, or even over the internet using ONE SSH key stored in Keepass. I'm currently unable to do so from within Vagrant's OS unless I explicitly generate its own key and authorize it in each of my deployment servers. I believe the way to do what I want is through User Agent Forwarding, yes?

Host OS

  • Windows 7 x64
  • SSH key generated by puttygen: C:\Users\Administrator\.ssh\id_rsa.ppk
  • Keepass with Keeagent storing my SSH key. Keeagent is set to "Agent" mode
  • pageant.exe is installed but is not running
  • If I wish to connect to outside/internal LAN servers using my key, Putty defers to Keeagent – Putty does not store the private key locations in its configuration.

C:\Users\Administrator.ssh\config

Host 192.168.55.2
  ForwardAgent yes

Vagrantfile

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.network :private_network, ip: '192.168.55.2'
  config.ssh.forward_agent = true
  # Why would I need to set this if Keeagent is handling things?
  config.ssh.private_key_path = '~/.ssh/id_rsa_jake_mitchell.ppk'
end

Guest OS (Vagrant)

  • Ubuntu x64
  • 192.168.55.2, accessible through host only
  • No SSH keys exist in /home/vagrant/.ssh (I removed them). The intent is to let User Agent Forwarding through the host OS (Keeagent) take care of using the key

LAN Web Host (intranet websites)

  • Let's say its domain is lan-example.com
  • It allows SSH passwordless login only using id_rsa.ppk public key
  • 192.168.0.2
  • User Agent Forwarding is enabled in sshd

Problem:

What works (using Host OS): Putty, connecting to lan-example.com without the need to explicitly reference the SSH key.

What doesn't work (using Guest OS): ssh -v web-server@lan-example.com as it shows that there aren't any keys to use.

I've noticed something about the beta version of Keeagent that allows me to set the SSH_AUTH_SOCK. I've done so, and set up an NFS share that allows the guest OS to read the file; however this doesn't change anything. How does agent forwarding even work in this type of environment? What's different about Windows that causes this to fail?

Best Answer

Sharing socket file through network file system won't work, as Windows socket and Linux socket are entirely different beasts — Linux inside VM would not know how to use Windows sockets. To make sure VM can utilize authentication agent on host, one needs to enable agent forwarding on both ssh client and server, then ssh into VM via host (not directly login on VM console).

Assuming:

  1. SSH server agent forwarding setup is done, according to original post (I haven't used Vagrant so can't tell);
  2. Keeagent setup is done and running (I have tried client mode but there are some problems dealing with non-RSA/DSA keys so agent mode is safer);

Under putty profile setup, tick option "Allow agent forwarding" under Connection → SSH → Auth in order to turn on agent forwarding for client. Alternatively, if Cygwin ssh is used on host, then there are 2 choices:

  1. Install ssh-pageant and make it start automatically with cygwin (in ~/.profile and the like).
  2. Specify desired Windows socket file location in Keeagent setup and set $SSH_AUTH_SOCK variable in cygwin to corresponding location.

To check if agent forwarding is working or not, ssh into VM and check the variable $SSH_AUTH_SOCK. If it's non-empty and pointing to a Linux socket file that exists, then everything is supposed to be fine. If the variable is empty then something is missing.

Related Topic