0

I am trying to achieve to setup.

  • I can connect to my server to user A using RSA key with ssh.
  • But i can't figure out how to forward agent to use with libpam-ssh.

The goal is to make passwordless sudo commands.

I'm on Debian (Buster) btw.

ssh       su
A ------> B:user X ------> B:userY
    ^                ^
using A's        using A's
 ssh key           ssh key

Is it even possible ?

Feb 22 11:00:11 jeremydev sshd[4050]: Accepted publickey for juniko from 127.0.0.1 port 55484 ssh2: RSA SHA256:N1N2OMouB8WTpQtYEAt69Iar79D3vOdhIHo96kgbDbU
Feb 22 11:00:11 jeremydev sshd[4050]: pam_unix(sshd:session): session opened for user juniko by (uid=0)
Feb 22 11:00:11 jeremydev systemd-logind[513]: New session 100 of user juniko.
Feb 22 11:00:14 jeremydev sudo[4169]: pam_ssh_agent_auth: Beginning pam_ssh_agent_auth for user juniko
Feb 22 11:00:14 jeremydev sudo[4169]: pam_ssh_agent_auth: Attempting authentication: `juniko' as `juniko' using /etc/ssh/sudo_authorized_keys
Feb 22 11:00:14 jeremydev sudo[4169]: pam_ssh_agent_auth: Contacted ssh-agent of user juniko (1000)
Feb 22 11:00:14 jeremydev sudo[4169]: pam_ssh_agent_auth: Failed Authentication: `juniko' as `juniko' using /etc/ssh/sudo_authorized_keys

Here is a connection log example:

OpenSSH_8.1p1 Ubuntu-5, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /home/kwaadpepper/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "example.ovh" port 443
debug2: ssh_connect_direct
debug1: Connecting to example.ovh [XXX.XXX.XXX.XXX] port 443.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 0
debug1: identity file .ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Ubuntu-5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1
debug1: match: OpenSSH_7.9p1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to example.ovh:443 as 'juniko'
debug3: put_host_port: [example.ovh]:443
debug3: hostkeys_foreach: reading file "/home/kwaadpepper/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/kwaadpepper/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [example.ovh]:443
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qWW1mY2LmZVvhYmdR4Z0z6DBLZiS2JdmmxfYu4vUR/A
debug3: put_host_port: [XXX.XXX.XXX.XXX]:443
debug3: put_host_port: [example.ovh]:443
debug3: hostkeys_foreach: reading file "/home/kwaadpepper/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/kwaadpepper/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [example.ovh]:443
debug3: hostkeys_foreach: reading file "/home/kwaadpepper/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/kwaadpepper/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from [XXX.XXX.XXX.XXX]:443
debug1: Host '[example.ovh]:443' is known and matches the ECDSA host key.
debug1: Found key in /home/kwaadpepper/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: .ssh/id_rsa RSA SHA256:N1N2OMouB8WTpQtYEAt69Iar79D3vOdhIHo96kgbDbU explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_rsa RSA SHA256:N1N2OMouB8WTpQtYEAt69Iar79D3vOdhIHo96kgbDbU explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: .ssh/id_rsa RSA SHA256:N1N2OMouB8WTpQtYEAt69Iar79D3vOdhIHo96kgbDbU explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:N1N2OMouB8WTpQtYEAt69Iar79D3vOdhIHo96kgbDbU
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to example.ovh ([XXX.XXX.XXX.XXX]:443).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/debian/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request auth-agent-req@openssh.com confirm 0
debug3: send packet: type 98
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env GJS_DEBUG_TOPICS
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env GNOME_TERMINAL_SCREEN
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env XDG_CURRENT_DESKTOP
debug1: Sending env LANG = fr_FR.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env XDG_SESSION_CLASS
debug3: Ignored env COLORTERM
debug3: Ignored env QT_IM_MODULE
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env USER
debug3: Ignored env XDG_MENU_PREFIX
debug3: Ignored env HOME
debug3: Ignored env GJS_DEBUG_OUTPUT
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env PWD
debug3: Ignored env GTK_MODULES
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env WINDOWPATH
debug3: Ignored env _
debug3: Ignored env JOURNAL_STREAM
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env GNOME_DESKTOP_SESSION_ID
debug3: Ignored env MANAGERPID
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env XDG_SESSION_DESKTOP
debug3: Ignored env LOGNAME
debug3: Ignored env GNOME_TERMINAL_SERVICE
debug3: Ignored env VTE_VERSION
debug3: Ignored env GNOME_SHELL_SESSION_MODE
debug3: Ignored env PATH
debug3: Ignored env XMODIFIERS
debug3: Ignored env SHELL
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env XDG_SESSION_TYPE
debug3: Ignored env QT_ACCESSIBILITY
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env USERNAME
debug3: Ignored env INVOCATION_ID
debug3: Ignored env SHLVL
debug3: Ignored env XAUTHORITY
debug3: Ignored env IM_CONFIG_CHECK_ENV
debug3: Ignored env DISPLAY
debug3: Ignored env TERM
debug3: Ignored env GDMSESSION
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env OLDPWD
debug3: Ignored env ZSH
debug3: Ignored env PAGER
debug3: Ignored env LESS
debug3: Ignored env LSCOLORS
debug3: Ignored env LS_COLORS
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Kwaadpepper
  • 103
  • 4

1 Answers1

1

You are looking for the ForwardAgent directive in /etc/ssh/ssh_config or ~/.ssh/config:

ForwardAgent

Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be yes or no (the default).

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

Once you enable it on the client, you can check that the correct functioning of the forwarding through:

ssh-add -L

and verify that it contains the key required by pam_ssh_agent_auth.

Edit: While the above configuration option (or the -A command line option, which you mention in your comment) almost certainly opens a Unix socket on the server which forwards the local ssh agent (to be sure run ssh with the -v option and check for the lines around debug1: Requesting authentication agent forwarding. for errors) your shell initialization script or another system component might replace the forwarded agent with its own (empty) agent.

To further debug the question check the SSH_AUTH_SOCK variable after logging in on the server:

printenv SSH_AUTH_SOCK

A forwarded agent socket has a path of the form /tmp/ssh-XXXXXXXX/agent.<pid>, where XXXXXXXX are some random symbols and <pid> is the process id of the shell's parent (the value of $PPID in bash). Even if something overwrites this variable, you can still find the path with:

ls /tmp/ssh-*/agent.$PPID

and restore it:

export SSH_AUTH_SOCK=/tmp/ssh-*/agent.$PPID

That would leave the question, who is overwriting your SSH_AUTH_SOCK variable. If I had to guess, I would search in the bash init files (on Debian 10 /etc/profile, /etc/profile.d/*.sh, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/bash.bashrc and ~/.bashrc) or whether systemd-logind started the ssh-agent.service:

systemctl --user status ssh-agent.service
Community
  • 1
Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
  • turns out agent-forward is not working correctly on my server ssh-add -l is empty while on my laptop it is not. ssh server allows agent forward and i use -A while connecting – Kwaadpepper Feb 26 '20 at 20:37
  • Something in your ssh session might be overwriting the `SSH_AUTH_SOCK` environment variable. I added some debugging steps to the answer. – Piotr P. Karwasz Feb 26 '20 at 21:47
  • ssh-agent service i got this: ● ssh-agent.service - OpenSSH Agent Loaded: loaded (/usr/lib/systemd/user/ssh-agent.service; static; vendor preset: enabled) Active: inactive (dead) Docs: man:ssh-agent(1) – Kwaadpepper Feb 29 '20 at 14:17
  • I tried your export command i still got this error after Feb 29 15:18:50 jeremydev sudo[2213]: pam_ssh_agent_auth: Attempting authentication: `juniko' as `juniko' using /etc/ssh/sudo_authorized_keys Feb 29 15:18:50 jeremydev sudo[2213]: pam_ssh_agent_auth: error: ssh-agent socket has incorrect permissions for owner Feb 29 15:18:50 jeremydev sudo[2213]: pam_ssh_agent_auth: No ssh-agent could be contacted Feb 29 15:18:50 jeremydev sudo[2213]: pam_ssh_agent_auth: Failed Authentication: `juniko' as `juniko' using /etc/ssh/sudo_authorized_keys – Kwaadpepper Feb 29 '20 at 14:20
  • my public key is in ```/etc/ssh/sudo_authorized_keys``` but ```ssh-add -L``` says there is no identity after login on ssh – Kwaadpepper Feb 29 '20 at 14:21
  • You can manually search the `/tmp/ssh-*` directories to look for your authentication agent and then set `SSH_AUTH_SOCK` to that path. – Piotr P. Karwasz Feb 29 '20 at 16:36
  • This I already tried and it leads to ''' pam_ssh_agent_auth: No ssh-agent could be contacted''' I think something is silently failling here. I also tried from another laptop with no .sshd/config file with the same result. It may be a server side issue then. The '''SSH_AUTH_SOCK ''' is not the issue i guess – Kwaadpepper Mar 01 '20 at 21:25
  • I just succeed what you were saying with the var $PPID, it has the good value so using it to set ```SSH_AUTH_SOCK``` and ```SSH_AGENT_PID``` worked. But i stall can't find what is overwriting vars here – Kwaadpepper Mar 03 '20 at 12:42
  • `grep 'SSH_AUTH_SOCK' -R /etc` to find all files, where it is mentioned. Also if you change user with `su` and similar, the environment may be cleaned. – Piotr P. Karwasz Mar 03 '20 at 18:10
  • I can't tell what was doing the overwritting but i removed ```apt purge libpam-ssh``` which removed ```dirmngr* gnupg-l10n* gnupg-utils* gpg* gpgconf* gpgsm* libassuan0* libksba8* libnpth0* libpam-tmpdir* pinentry-curses*``` and the purged and reinstalled ```apt install libpam-ssh-agent-auth``` and now it works :x – Kwaadpepper Mar 04 '20 at 12:42