Sorry, you are correct. So much of the information I find is about Port
Forwarding, which I know is not the same as Agent Forwarding, which is
what I am asking about. After years of Sun boxes and NCD terminals, I
can already do the Port Forwarding stuff in my sleep.

> By default (at least as shipped by some vendors), agent forwarding is
> turned off. You need to explicitly enable it, either by modifying
> /etc/ssh/ssh_config, ~/.ssh/config, or by specifying -A on the ssh
> command line.
>
> If you want to make this the default (not recommended), look in
> one of the aforementioned config files for the following:
>
> # Host *
> # ForwardAgent no


This is the part I assumed I had configured correctly after reading the
manual, though it does not specify if I do or do not also have to
activate X11 forwarding to just get agent forwarding to work, so I did
not include the x11 directives. By default usepam is yes on fedora.

My /etc/ssh/ssh_config on every box in question contains:

Host *
ForwardAgent yes


I want to go from desktop to server1 to server2 without typing a
password. ssh-agent is on the desktop, I put my key in with ssh-add, ssh
someuser@server1 lets me in. Now whether I use ssh username@server2 or
ssh -A username@server2 it asks me for a password. It does not change if
it is the same or a different username. It asks for the password so
quickly, and does not show up in the other server's logs (unless I type
the password), that I suspect it is in fact pam on server1 which is
requesting the password instead of sshd on server2.

Thanks for your help

Jason Powers



Derek Martin wrote:
> On Wed, Oct 04, 2006 at 06:18:02PM -0400, Jason Powers wrote:
>
>>I have looked through the archives and googled this pretty thoroughly,
>>I'm having a tough time finding someone else who has asked the same
>>question previously. There's a lot of information about openssh, but
>>surprisingly little detail about port forwarding.

>
>
> Er, your e-mail doesn't appear to be about port forwarding at all...
> It seems to be about connecting with ssh-agent. Presumably this was
> just a think-o and you didn't really mean to ask about port
> forwarding?
>
>
>>Now let's say that I have a linux desktop and two linux servers,
>>assuming I've configured things correctly, then from the desktop box I
>>should be able to:

>
>
> Trouble is, "assuming I've configured things correctly" is rather a
> big assumption. ;-)
>
>
>>me@desktop> ssh-add
>> (type pass for key)
>>me@desktop> ssh someuser@server1
>>
>>now from that terminal
>>someuser@server1> ssh otheruser@server2
>>
>>It asks me for a password when I try to jump to the second server. I can
>>put the password in and it works, but I think at this point it should be
>>forwarding the key.

>
>
> By default (at least as shipped by some vendors), agent forwarding is
> turned off. You need to explicitly enable it, either by modifying
> /etc/ssh/ssh_config, ~/.ssh/config, or by specifying -A on the ssh
> command line.
>
> If you want to make this the default (not recommended), look in
> one of the aforementioned config files for the following:
>
> # Host *
> # ForwardAgent no
>
> Uncomment and change that to yes. But this is not recommended because
> it means that ALL ssh agents will be forwarded to ALL servers to which
> people are connecting to from that machine (where you made the config
> change). This is generally a bad idea, because IIUC it means that an
> unencrypted copy of your ssh keys will be available on machines
> outside your organization's control. While the risk is probably low
> if you only ever connect to "trusted" sites, in theory a malicious
> site/admin could hack sshd to record such keys or otherwise snoop
> them. This is why it's turned off by default.
>