21
20
This guide does a great job explaining how ssh-agent works across multiple systems. I'd like to get forwarding set up as it is in the last set of diagrams, but I'm having trouble tracking down the steps required to do so.
For some machines on my network, I can ssh from A to B, then B to C, without ever entering a cert password. Other machines, however, give a "Could not open a connection to your authentication agent" (sometimes!), then won't forward my authentication info. SSHing from one of these machines to another box on the network prompts for my private-key password again.
I didn't build these machines, but I can administer some of them. I don't know for sure what the difference is between boxen that work and the ones that don't -- could be a firewall issue, ssh/ssh-agent/sshd configuration, anything, and I don't see any step-by-step guides specific to forwarding floating around the 'net. I just need to know where to start chasing this issue down.
The answer has been quite old and the answer is conflicting with the comments. Can we have an updated answer please? Asking the same question again in http://superuser.com/questions/922003/ssh-agent-forwarding-is-not-working. thanks
– xpt – 2015-05-31T22:36:28.110The good news: thanks for pointing me toward the right key to look for! The bad news: Apparently this is a known bug in openssh-server. It appears to have been fixed, at some point, but I don't think I'm running a current-enough version -- I get "Bad configuration option: AllowAgentForwarding" when I try to enable it. Looks like it's off to update my software loadout (again...)
– Coderer – 2010-07-29T20:50:06.9701@Coderer: Since agent forwarding defaults on, it should be enough to remove any
AllowAgentForwarding
line fromsshd_config
. – Gilles 'SO- stop being evil' – 2010-07-29T21:29:20.527@Gilles If someone did want to manually set up agent forwarding for an existing session, how would they go about doing that? This is a real need with provisioning scripts used with ephemeral machines like AMIs that come with
AllowAgentForwarding
disabled. – Andrew De Andrade – 2014-04-06T00:40:09.770@AndrewDeAndrade For an existing session, you have your work cut out. If you meant setting up agent forwarding even if it's disabled on the server, you need to forward a unix socket over TCP; this should be doable with netcat or socat on both sides. – Gilles 'SO- stop being evil' – 2014-04-06T18:05:11.780
@Gilles That's the conclusion I came too. I found out you can also use spiped, which is more secure but requires symmetric key exchange, but is simpler after that. – Andrew De Andrade – 2014-04-16T19:07:19.237