16

I've been looking for a solution to the following problem for the past 2 hours with no luck.

Development:

I'm using publickey authentication to connect to my servers. I use ssh-agent forwarding in order to not have to manage public/privates keys.

Let's say I have servers A, B and C.

This works very well if I connect from LOCAL ---> A ---> B.

It also works very well if I do LOCAL ---> A ---> C.

Now, if I try LOCAL ---> A ---> B ---> C, SSH can't connect from B to C.

Worth noting: I connect to server A as liquidity, whereas I connect to server B as root. Connecting to server B as liquidity fixes the problem, but this is not an option for me.

As per the recommendation of a user, I use ssh -A each time to make sure that agent forwarding is enabled.

I found one similar question, with no answer here: Is it possible to chain ssh-agent forwarding through multiple hops?

According to @Zoredache here: https://serverfault.com/a/561576/45671 I just need to adjust my client configuration on each intermediate system. Which I believe I did.

Community
  • 1
liquidity
  • 408
  • 1
  • 7
  • 22
  • Consider using `ProxyCommand` hopping (as explained [here](http://askubuntu.com/a/311454/88802)) instead of forwarding the SSH agent. For your approach you'll have to trust all machines in the chain because they can (ab)use your private keys. I also like the ProxyCommand approach a lot better because of the known hosts check is done locally, and moreover, you can set up the chain in your SSH config so you can use a single to command to connect to C. – gertvdijk Dec 16 '13 at 10:38
  • I unfortunately can't use a proxyCommand. Despite the security considerations, I really need to use forwardAgent. – liquidity Dec 16 '13 at 18:26
  • @liquidity can I ask you why don't you want to use proxyCommand? I have the same problem and as I understand proxyCommand is more secure. So I'm thinking which one to use.. – grep Jul 04 '18 at 20:28

1 Answers1

13

To have agent forwarding work through multiple hops you simply to need adjust your client configuration on each intermediate system so that agent forwarding.

It could be as simply as making sure your /etc/ssh/ssh_config has this configured. But if you have per-client configs in ~/.ssh/config you may need to adjust those settings as well.

Host *
    ForwardAgent yes

You can see if agent forwarding happened or if there was an errorif you just add the -v option.

$ ssh -v issc@server1
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/zoredache/.ssh/config
...
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
Linux server1 3.11-0.bpo.2-amd64 #1 SMP Debian 3.11.8-1~bpo70+1 (2013-11-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 15 20:39:44 2013 from 10.2.4.243
issc@server1:~$

Also verify you have a valid environment variable set.

issc@server1:~$ export | grep SSH_AUTH
declare -x SSH_AUTH_SOCK="/tmp/ssh-7VejOmKtNv/agent.57943"
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 5
    Worth mentioning the -A flag to ssh as a quick and dirty alternative to the ssh_config or ~.ssh/config option. -A [e]nables forwarding of the authentication agent connection. – dmourati Dec 16 '13 at 05:04
  • 1
    At each step, you can use `ssh-add -l` to list the keys that ssh *thinks* it can get at via your agent. Make sure you're forwarding it on each connection! – MikeyB Dec 17 '13 at 04:20
  • Thanks! Also note that if everything's done correctly you won't have to manually start the ssh-agent on the last server. It will start automatically if you see the line `Requesting authentication agent forwarding.` in your debug output. If you tried via `.bash_profile` to start ssh-agent, remove it from there or else your agent will start again without any identities. – 2upmedia Oct 17 '19 at 00:16