1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Agent forwarding works on one remote host but not another

    From Adam Funk@21:1/5 to All on Thu Jan 27 12:02:59 2022
    (I have read about the risk of ssh agent forwarding and am only using
    it in limited circumstances, mainly to do `git pull` on a server.)

    adam@laptop $ ssh-add -l
    # lists currently unlocked keys correctly

    adam@laptop $ ssh -A remote0
    # login messages

    adam@remote0 $ ssh-add -l
    # lists currently unlocked keys correctly

    adam@remote0 $ exit
    # logout messages

    adam@laptop $ ssh -A remote1
    # login messages

    adam@remote1 $ ssh-add -l
    Could not open a connection to your authentication agent.


    Do I need to enable something in my configuration on remote1 to make
    it work?

    Thanks

    --
    And don't forget my dog, fixed and consequent

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam Funk@21:1/5 to Adam Funk on Thu Jan 27 17:04:32 2022
    On 2022-01-27, Adam Funk wrote:

    (I have read about the risk of ssh agent forwarding and am only using
    it in limited circumstances, mainly to do `git pull` on a server.)

    adam@laptop $ ssh-add -l
    # lists currently unlocked keys correctly

    adam@laptop $ ssh -A remote0
    # login messages

    adam@remote0 $ ssh-add -l
    # lists currently unlocked keys correctly

    adam@remote0 $ exit
    # logout messages

    adam@laptop $ ssh -A remote1
    # login messages

    adam@remote1 $ ssh-add -l
    Could not open a connection to your authentication agent.


    Do I need to enable something in my configuration on remote1 to make
    it work?

    Oops, it's working now. I think I was using a shared connection
    earlier (the first one opened without -A).



    --
    so ladies, fish, and gentlemen,
    here's my angled dream

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Adam Funk on Fri Jan 28 12:02:59 2022
    On 1/27/22 5:02 AM, Adam Funk wrote:
    Do I need to enable something in my configuration on remote1 to make
    it work?

    The "AllowAgentForwarding" configuration parameter for the sshd daemon
    can interfere with / prohibit clients forwarding agents to a server.

    For completeness, in case someone else has a problem that isn't related
    to shared connections.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam Funk@21:1/5 to Grant Taylor on Mon Jan 31 09:18:30 2022
    On 2022-01-28, Grant Taylor wrote:

    On 1/27/22 5:02 AM, Adam Funk wrote:
    Do I need to enable something in my configuration on remote1 to make
    it work?

    The "AllowAgentForwarding" configuration parameter for the sshd daemon
    can interfere with / prohibit clients forwarding agents to a server.

    For completeness, in case someone else has a problem that isn't related
    to shared connections.

    That's interesting and useful to remember (although it didn't apply in
    my case) --- thanks!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Adam Funk on Mon Jan 31 20:00:04 2022
    On 1/31/22 2:18 AM, Adam Funk wrote:
    That's interesting and useful to remember

    Yep.

    (although it didn't apply in my case)

    Hence the "For completeness, in case someone else". ;-)

    thanks!

    You're welcome.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)