[Techtalk] ssh agent forwarding
Raven, corporate courtesan
raven at oneeyedcrow.net
Wed Apr 3 19:41:24 EST 2002
Heya --
Which version of Solaris?
Quoth kathryn at cs.umb.edu (Tue, Mar 26, 2002 at 10:58:04AM -0500):
> I have linux systems (RedHat 7.2) and have ssh-agent forwarding working
> for them, using protocol2. But a login to some Solaris machines at my
> school followed by eval `ssh-agent2` produces a new ssh agent and not a
> forwarded agent.
Are you using rxvt on the Solaris side? According to the FAQ at
http://www.kleber.net/ssh/ssh-faq-7.html:
7.3.2 ssh-agent does not work with rxvt!
rxvt closes all file descriptors when starting up, including the one
used by ssh-agent. Use xterm, or look at the mailing list archives at
http://www.cs.hut.fi/ssh/ssh-archive/for Timo Rinne's rxvt patch.
I am assuming that you're invoking ssh-agent within a already
existing terminal window, and not in your .xsession or anything, because
of the eval statement above, but just double checking.
> So how do I get my linux agent forwarded? (Note I have .ssh/config
> with `ForwardAgent yes' on my linux machine.)
I have OpenSSH 3.1p1 running on Solaris 7 here with a virtually
identical setup, and that works okay for me. I can't seem to replicate
your problem. What ssh daemon are you using on the Solaris boxes? Make
sure it supports protocol 2. Have you got "protocol 1,2" or something
funky in your sshd_config, where it's preferring ssh1 over ssh2? (2,1
is the default for anything that supports ssh2.)
Other helpful debugging stuff -- see if the environment
variables that are supposed to be set by ssh-agent are set. Assuming
you're using ssh2 (I'm guessing from the eval above), look for
SSH2_AUTH_SOCK. If it's ssh1 or OpenSSH they won't have the 2 in there.
Make sure that public key authentication options are turned on in
/etc/sshd_config (or wherever your sshd_config is) on all boxes --
probably
RSAAuthentication yes
or
DSAAuthentication yes
or
PubKeyAuthentication yes
depending on the type of crypto algorithm of the keys you're using, and
the type of server you have. If you have RSA support but only DSA keys,
that doesn't do you any good. And any time you fall back to password
authentication, you lose the agent. So it's got to be key based, and
supporting all the necessary algorithms, for every host in the path.
Agent forwarding is on by default for ssh1 and ssh2, off for
OpenSSH. Make sure it's on.
Cheers,
Raven
"Argh! All these clocks are the same!"
-- RavenBlack, on unexpected and new synchronicity
More information about the Techtalk
mailing list