What part of SSH forwarding sets up SSH_AUTH_SOCK?

Question

I'm trying to get SSH agent forwarding working from my Mac to a Debian server. On my Mac, I have verified that I have:

SSH_AUTH_SOCK exists
ssh-add -l shows my identities
./ssh/config has settings to enable ForwardAgent

Passwordless login to the remote server works fine. However, none of my identities are available there and the SSH_AUTH_SOCK is empty.

I'd like to understand how this gets set up in the remote environment, and what am I missing to make it work?

Update:

My server is set up with AllowAgentForwarding=yes in sshd_config and ForwardAgent=yes in ssh_config.

I found some tutorials that suggest running eval ``ssh-agent, so I tried that but I suspect this is meant for the client machine. This did set up a SSH_AUTH_SOCK when I ran it on my server, but it doesn't seem to connect back to the client agent, and it says "The agent has no identities".

score 5 · Accepted Answer · answered Jul 27 '11 at 13:43

5

On my Mac with OS 10.6.x I found that agent forwarding didn't work until I added my key to the Apple keychain, with the following:

ssh-add -K ~/.ssh/id_rsa

where ~/.ssh/id_rsa contains my private ssh key

I've a blog entry about setting up ssh host configuration entries to simplify ssh command-lines that may be of interest

answered Jul 27 '11 at 13:43

Nick Ager

66
1
1

Thanks, I had figured it out a while back: your answer is the correct solution on a Mac client. – Andrew Vit Jul 30 '11 at 22:18

score 2 · Answer 2 · answered Nov 03 '10 at 04:51

2

The server also has to enable agent forwarding.

answered Nov 03 '10 at 04:51

Ignacio Vazquez-Abrams

45,939
6
79
84

I've tried setting `AllowAgentForwarding yes` in sshd_config and restarting ssh on the server. I still get the error _"Could not open a connection to your authentication agent"_ when I try to do anything from the server. – Andrew Vit Nov 03 '10 at 05:46

score 1 · Answer 3 · answered Nov 06 '10 at 08:39

1

The client that runs the agent needs to have agent forwarding enabled. Not the server.

Never enable it globally, but on a per-host basis in ~/.ssh/config:

Host myserver.foo.local
ForwardAgent yes

Or use the -A option when connecting:

ssh -A myserver.foo.local

answered Nov 06 '10 at 08:39

unixtippse

880
1
6
13

1

Thanks for your answer. Yes, I already have my .ssh/config configured this way. I see SSH_AUTH_SOCK on my end, but not inside the SSH session. I was trying to understand what part of the client/server environment is responsible for setting up that socket, since I'm not seeing it. – Andrew Vit Nov 06 '10 at 09:22
Does the client show in verbose mode that it is requesting agent forwarding? ssh -vvv -A myserver.foo.local true 2>&1 | grep agent – unixtippse Nov 07 '10 at 07:09

What part of SSH forwarding sets up SSH_AUTH_SOCK?

3 Answers3