Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] ssh-agent not being magical enough [Josh: C&C for toshiyori]
- Date: Mon, 06 Jun 2011 18:45:30 +0900
- From: Darren Cook <darren@example.com>
- Subject: Re: [tlug] ssh-agent not being magical enough [Josh: C&C for toshiyori]
- References: <4DDDCC63.9000401@example.com> <87zkm8983w.fsf@example.com>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
Back on May 27th Stephen Turnbull replied to this:
> > But, now I want to do that deliberately on a remote server and it won't
> > work! What I want is:
> > $ ssh first
> > [first]$ scp abc second:~
> > --> prompt for the key passphrase [2]
> > [first]$ scp abc second:~
> > --> used saved passphrase
>
> Are you sure that's what you want?
> ...
Thanks Stephen (and Christian). You were right, that wasn't what I
wanted. I've just had chance to try your suggestion and it turned out to
be easy. I had this section in my ~/.ssh/config file (on my notebook)
and just had to add the last line:
Host first
User darren
Hostname 1.2.3.4
Port 98765
HostKeyAlias xxx_first
ForwardAgent yes
I didn't need to touch sshd config on any machine as it appears
AllowAgentForwarding is on by default in most installations.
Darren
P.S. I didn't fully understand the security consequences, so only added
the ForwardAgent line for the set of hosts where I currently need this
functionality. (These are all machines where I had been willing to
install my private key, so I assume ForwardAgent cannot be more insecure
than that ;-)
P.P.S. I've kept Stephen's explanation in below. There is also a
graphical explanation of the magic involved here:
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd
> The usual configuration is like this (see also Christian's very
> similar post, but I didn't fully understand it so I'm writing in my
> own style here):
>
> localhost:
> ssh-agent (background)
> This is your active ssh-agent. It actually knows your keys.
> ssh
> You know what this is for.
> You need to enable "AgentForwarding" either in .ssh/config or
> from the command line with "-A".
>
> first:
> ssh-agent (background)
> I'm not sure you actually need it, but you may. It doesn't
> need to know about identities. If it has any role, it is
> forwarding authentication traffic between ssh-agent on
> localhost (which knows the keys) and the sshd on second.
> sshd
> Must have agent-forwarding option enabled (see
> no-agent-forwarding in the sshd man page). Dunno if you can
> do this. agent-forwarding is considered a security risk (see
> ssh man page near the top).
> ssh
> Just do it. Caveat, if you ever ssh from second, you may want
> AgentForwarding enabled here.
>
> second:
> sshd
> Must be running, of course. If you want to use agent
> forwarding from here, configure like "first".
> ssh-agent, ssh
> If you ssh from "second", see configuration for "first".
>
>
> The only reason I can think of to *not* use this configuration is if
> you share an SSH key with a user actually based on "first" (who's on
> first, anyway??), but sharing keys is also normally frowned on.
--
Darren Cook, Software Researcher/Developer
http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)
- Prev by Date: Re: [tlug] The wrong kanji has returned
- Next by Date: Re: [tlug] ssh-agent not being magical enough [Josh: C&C for toshiyori]
- Previous by thread: Re: [tlug] Edy with !Windows
- Next by thread: Re: [tlug] ssh-agent not being magical enough [Josh: C&C for toshiyori]
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |