--BzCohdixPhurzSK4
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline

On Wed, Oct 04, 2006 at 06:18:02PM -0400, Jason Powers wrote:
> I have looked through the archives and googled this pretty thoroughly,
> I'm having a tough time finding someone else who has asked the same
> question previously. There's a lot of information about openssh, but
> surprisingly little detail about port forwarding.


Er, your e-mail doesn't appear to be about port forwarding at all...
It seems to be about connecting with ssh-agent. Presumably this was
just a think-o and you didn't really mean to ask about port
forwarding?

> Now let's say that I have a linux desktop and two linux servers,
> assuming I've configured things correctly, then from the desktop box I
> should be able to:


Trouble is, "assuming I've configured things correctly" is rather a
big assumption. ;-)

> me@desktop> ssh-add
> (type pass for key)
> me@desktop> ssh someuser@server1
>
> now from that terminal
> someuser@server1> ssh otheruser@server2
>
> It asks me for a password when I try to jump to the second server. I can
> put the password in and it works, but I think at this point it should be
> forwarding the key.


By default (at least as shipped by some vendors), agent forwarding is
turned off. You need to explicitly enable it, either by modifying
/etc/ssh/ssh_config, ~/.ssh/config, or by specifying -A on the ssh
command line.

If you want to make this the default (not recommended), look in
one of the aforementioned config files for the following:

# Host *
# ForwardAgent no

Uncomment and change that to yes. But this is not recommended because
it means that ALL ssh agents will be forwarded to ALL servers to which
people are connecting to from that machine (where you made the config
change). This is generally a bad idea, because IIUC it means that an
unencrypted copy of your ssh keys will be available on machines
outside your organization's control. While the risk is probably low
if you only ever connect to "trusted" sites, in theory a malicious
site/admin could hack sshd to record such keys or otherwise snoop
them. This is why it's turned off by default.

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D


--BzCohdixPhurzSK4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFFJTiFdjdlQoHP510RAnt/AJ9K0oyhkw+PiAWI25ldSU21j1V6zgCZAT1q
qPaB/dLr51YWLJA6OG1JvDM=
=n9/s
-----END PGP SIGNATURE-----

--BzCohdixPhurzSK4--