Extra configuration required for ssh-agent forwarding?

This guide does a great job explaining how ssh-agent works across multiple systems. I'd like to get forwarding set up as it is in the last set of diagrams, but I'm having trouble tracking down the steps required to do so.

For some machines on my network, I can ssh from A to B, then B to C, without ever entering a cert password. Other machines, however, give a "Could not open a connection to your authentication agent" (sometimes!), then won't forward my authentication info. SSHing from one of these machines to another box on the network prompts for my private-key password again.

I didn't build these machines, but I can administer some of them. I don't know for sure what the difference is between boxen that work and the ones that don't -- could be a firewall issue, ssh/ssh-agent/sshd configuration, anything, and I don't see any step-by-step guides specific to forwarding floating around the 'net. I just need to know where to start chasing this issue down.

Coderer

Posted 2010-07-28T17:18:34.810

Reputation: 1 316

Answers

Ssh agent forwarding must be allowed on the client (ForwardAgent option in ~/.ssh/config) and on the server (AllowAgentForwarding option in sshd_config). Chances are that your machines have different default settings for one or both of these options.

If you're going A->B->C, forwarding is not necessary on the B->C step (unless you're then going to go C->D of course).

When you're logged into B, check that the environment variable SSH_AUTH_SOCK is defined. Its value is how ssh knows how to contact the agent.

There's no good reason to forbid agent forwarding in the server, given that agent forwarding makes the client vulnerable to the server and not the opposite, and that you could in principle set up agent forwarding manually (although there wouldn't be so much point since the difficulty of setting it up would defeat the point of the convenience of agent forwarding).

Gilles 'SO- stop being evil'

Posted 2010-07-28T17:18:34.810

Reputation: 58 319

The answer has been quite old and the answer is conflicting with the comments. Can we have an updated answer please? Asking the same question again in http://superuser.com/questions/922003/ssh-agent-forwarding-is-not-working. thanks

– xpt – 2015-05-31T22:36:28.110

The good news: thanks for pointing me toward the right key to look for! The bad news: Apparently this is a known bug in openssh-server. It appears to have been fixed, at some point, but I don't think I'm running a current-enough version -- I get "Bad configuration option: AllowAgentForwarding" when I try to enable it. Looks like it's off to update my software loadout (again...)

– Coderer – 2010-07-29T20:50:06.970

1@Coderer: Since agent forwarding defaults on, it should be enough to remove any AllowAgentForwarding line from sshd_config. – Gilles 'SO- stop being evil' – 2010-07-29T21:29:20.527

@Gilles If someone did want to manually set up agent forwarding for an existing session, how would they go about doing that? This is a real need with provisioning scripts used with ephemeral machines like AMIs that come with AllowAgentForwarding disabled. – Andrew De Andrade – 2014-04-06T00:40:09.770

@AndrewDeAndrade For an existing session, you have your work cut out. If you meant setting up agent forwarding even if it's disabled on the server, you need to forward a unix socket over TCP; this should be doable with netcat or socat on both sides. – Gilles 'SO- stop being evil' – 2014-04-06T18:05:11.780

@Gilles That's the conclusion I came too. I found out you can also use spiped, which is more secure but requires symmetric key exchange, but is simpler after that. – Andrew De Andrade – 2014-04-16T19:07:19.237

While you already have the right answer by @Gilles above, I wanted to point out that AllowAgentForwarding is only supported in OpenSSH 5.1 onwards.

OpenSSH servers before 5.1, from what I have seen in my RHEL 4u5 box, allow agent forwarding by default. So if your server is older than 5.1 and agent forwarding is not working, the problem is likely in the ssh client. Since forwarding seems to be working for some machines for you, it seems that /etc/ssh/ssh_config is setup fine. Check ~/.ssh/config to see if there is any exception made to disable agent forwarding for the affected boxes.

Ref: http://www.openssh.org/txt/release-5.1

Sandip Bhattacharya

Posted 2010-07-28T17:18:34.810

Reputation: 271

hi Sandip, Do you have any idea about this? http://superuser.com/questions/958978/libssh2-agent-forwarding-not-working?noredirect=1#comment1310009_958978

– Niks – 2015-08-18T11:28:22.667