Greetings,

Here are the two hosts that I am trying to get SSH port forwarding to work:

Host A: Running Slackware 12.0, SSH version 5.1
Host B: Running FreeBSD 5.5-stable, SSH version 3.8.1p1

The idea is to establish remote port forwarding by typing the
following on Host A:

ssh -v -l root -i [Host-B-Private-Key] -R 2222:localhost:22 Host-B -N

and then follow that with using the tunnel to tunnel back from Host B to Host A:

ssh -l [Host-A-Account] -i [Host-A-Private-Key] -p 2222 127.0.0.1

I have also generated keypairs for each machine by each machine (A
generates its own, and B generates its own as well) so that the
certificates will authenticate without the need of typing in any
passphrases. Each sshd_config also enables public key authentication
for version 2 of SSH.

THE PROBLEM

Right now, the first step works flawlessly. I am able to establish
the port forwarding. It's the second command that I cannot get to
work. For some odd reason, when I am trying to use the establish
tunnel to tunnel back, I am being asked for the password for Host A's
user account. When I do a verbose debug of the session, I see the
following on Host B (the host that is trying to tunnel back using the
new tunnel):

OpenSSH_3.8.1p1 FreeBSD-20060930, OpenSSL 0.9.7e-p1 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 2222.
debug1: Connection established.
debug1: identity file [Host-A-Private-Key] type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20060930
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '127.0.0.1' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: [Host-A-Private-Key]
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
_bkup-metro@127.0.0.1's password:

What I don't understand is why it is clearly allowing publickey
method, and yet chooses to skip that method for some reason.

Any suggestions or comments is greatly appreciated.

Simon Chang