Re: Trouble with agent forwarding - openssh

This is a discussion on Re: Trouble with agent forwarding - openssh ; I guess your problem is that the root ssh public key is not in somename's authorized_keys on machine C. When you do 'sudo ssh someone@C' you're loading root's profile on the originating box, as if root was launching the ssh ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: Trouble with agent forwarding

  1. Re: Trouble with agent forwarding

    I guess your problem is that the root ssh public key is not in somename's authorized_keys on machine C.
    When you do 'sudo ssh someone@C' you're loading root's profile on the originating box, as if root was launching the ssh command, therefor ssh loads root's public key and tries to authenticate with it on machine C against your remote user's authorized keys.

    -Ed

    ----- Original Message ----
    > From: Iwan Vosloo
    > To: secureshell@securityfocus.com
    > Sent: Thursday, June 19, 2008 5:21:46 AM
    > Subject: Trouble with agent forwarding
    >
    > Hi.
    >
    > After an upgrade, we are having trouble with openssh and agent
    > forwarding, and are stumped at trying to find the source of our
    > troubles. Any pointers to help us debug would be appreciated:
    >
    >
    > Previously, we had
    > (a) developer workstations, with our ssh keys in the normal place:
    > ~/.ssh/id_rsa{,.pub}
    > (b) Prod machine B, with ~/.ssh/authorized_keys{,2}
    > (containing the public keys of our developers).
    > (c) Prod machine C, set up like B
    >
    > On developer boxes, we have /etc/ssh/ssh_config with the following
    > (assume C is the domain name of the said production machines):
    >
    > Host C
    > ForwardAgent yes
    >
    > With this setup, we were able to execute the following two commands from
    > an ssh session to machine B:
    >
    > ssh C ls
    > sudo ssh somename@C ls
    >
    > This was on Ubuntu Gutsy, with openssh version 1:4.6p1-5ubuntu0.5 and
    > sudo version 1.6.8p12-5ubuntu2.
    > Then we upgraded to Ubuntu Hardy, with openssh version
    > 1:4.7p1-8ubuntu1.2 and sudo version 1.6.9p10-1ubuntu3.2.
    >
    > After the upgrade, we can still do
    > ssh C ls
    >
    > But NOT
    > sudo ssh somename@C ls
    >
    >
    > Should it be possible to let agent forwarding work like this "through"
    > sudo?
    > Where do we go to search for the problem?
    > It certainly was working before...
    >
    > Thanks
    > - Iwan




    __________________________________________________ ________________
    Looking for the perfect gift? Give the gift of Flickr!

    http://www.flickr.com/gift/


  2. Re: Trouble with agent forwarding

    Hi,

    
    > > From: Iwan Vosloo
    > > Should it be possible to let agent forwarding work like this "through"
    > > sudo?
    > > Where do we go to search for the problem?
    > > It certainly was working before...


    On Thu, 2008-06-19 at 12:49 -0700, Edmond Baroud wrote:
    > I guess your problem is that the root ssh public key is not in somename's authorized_keys on machine C.
    > When you do 'sudo ssh someone@C' you're loading root's profile on the originating box, as if root was launching the ssh command, therefor ssh loads root's public key and tries to authenticate with it on machine C against your remote user's authorized keys.


    Well, the idea is not to have root's keys in that user's authorized_keys
    on machine C. Only keys from actual developer machines are there - isn't
    that the point of agent forwarding? The question is how agent
    forwarding behaves under sudo?

    Thanks
    -i


  3. Re: Trouble with agent forwarding

    Well, here is a bit of a verbose solution to my problem.

    Agent-forwarding is controlled by the SSS_AUTH_SOCK variable, and this
    needs to be passed through to sudo:

    sudo env SSH_AUTH_SOCK=$SSH_AUTH_SOCK ssh @C ls -la

    I suppose one can do something similar in sudoers to ensure this
    variable is always passed through.

    -i


  4. Re: Trouble with agent forwarding

    And, just to end this:

    The less verbose thing to do would be to include something like this
    in /etc/sudoers:

    Defaults env_keep="SSH_AUTH_SOCK"

    With that, the following works:

    sudo ssh @C ls -la

    -i

    On Sat, 2008-06-21 at 12:16 +0200, Iwan Vosloo wrote:
    > Well, here is a bit of a verbose solution to my problem.
    >
    > Agent-forwarding is controlled by the SSS_AUTH_SOCK variable, and this
    > needs to be passed through to sudo:
    >
    > sudo env SSH_AUTH_SOCK=$SSH_AUTH_SOCK ssh @C ls -la
    >
    > I suppose one can do something similar in sudoers to ensure this
    > variable is always passed through.
    >
    > -i
    >
    >



+ Reply to Thread