Ssh – What part of SSH forwarding sets up SSH_AUTH_SOCK

forwardingsshssh-agent

I'm trying to get SSH agent forwarding working from my Mac to a Debian server. On my Mac, I have verified that I have:

SSH_AUTH_SOCK exists
ssh-add -l shows my identities
./ssh/config has settings to enable ForwardAgent

Passwordless login to the remote server works fine. However, none of my identities are available there and the SSH_AUTH_SOCK is empty.

I'd like to understand how this gets set up in the remote environment, and what am I missing to make it work?

Update:

My server is set up with AllowAgentForwarding=yes in sshd_config and ForwardAgent=yes in ssh_config.

I found some tutorials that suggest running eval ``ssh-agent, so I tried that but I suspect this is meant for the client machine. This did set up a SSH_AUTH_SOCK when I ran it on my server, but it doesn't seem to connect back to the client agent, and it says "The agent has no identities".

Best Answer

On my Mac with OS 10.6.x I found that agent forwarding didn't work until I added my key to the Apple keychain, with the following:

ssh-add -K ~/.ssh/id_rsa

where ~/.ssh/id_rsa contains my private ssh key

I've a blog entry about setting up ssh host configuration entries to simplify ssh command-lines that may be of interest

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Ssh – ForwardAgent in Jenkins

I see this question has been unanswered for over a year, but here is how I solved the problem.

What you want to do is make sure that the user that runs jenkins

checks to see if ssh-agent is running (if not, start it)
checks to see if a key is loaded (if not, load one)

Put this in your ~/.bash_profile for the user that runs jenkins of the user that needs to forward agent, to ensure it runs with each new shell:

SSH_ENV="$HOME/.ssh/environment"

function start_agent {
  echo "Initializing new SSH agent..."
  /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
  echo succeeded
  chmod 600 "${SSH_ENV}"
  . "${SSH_ENV}" > /dev/null
  ssh-add .ssh/id_rsa
  cat .ssh/id_rsa.pub
}

#Source SSH Settings

if [ -f "${SSH_ENV}" ]
then
  . "${SSH_ENV}" > /dev/null
  ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent > /dev/null || {
    start_agent;
  }
else
  start_agent;
fi

if [ `ssh-add -l | grep "The agent has no identities." | wc -l` == 1 ]
then
  ssh-add .ssh/id_rsa
  cat .ssh/id_rsa.pub
fi

About 50% of the code here I took from somewhere else but can't remember where to give credit. This should be fairly portable, and its use need not be limited to jenkins it should work in any ssh-agent forwarding situation.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Ssh – ForwardAgent in Jenkins

Related Topic