4

I failed to configure AgentForwarding with PuTTY :(

PuTTY is newest 0.61 version. I have created public/private key pair for PuTTY, converted them to openssh format, added them to /root/.ssh/authorized_keys on both host1 and host2. On both hosts in /etc/ssh/sshd_config:

PermitRootLogin without-password
AuthorizedKeysFile      %h/.ssh/authorized_keys
AllowAgentForwarding yes

On both hosts /root/.ssh/config contains

Host *
    ForwardAgent yes

In PuTTY configuration, option Connection/SSH/Auth/Allow agent forwarding [x] is checked on.

Whan I'm running pagent.exe with loaded keyfile, I can connect to host1 and host2 without password. But when I am connected to host1 and try to ssh root@host2, I'm prompted for password. Variable $SSH_AUTH_SOCK is not set in my host1 session. What am I doing wrong?

Selivanov Pavel
  • 2,206
  • 3
  • 26
  • 48

3 Answers3

5

Since $SSH_AUTH_SOCK is not set, its likely either a problem with putty/pagent, or sshd itself.

You can put sshd into debug mode easily enough. Log into the server (this can be safely done over ssh, as long as you remember to restart sshd after you are done) and stop sshd (via your init scripts). Then run:

/usr/sbin/sshd -Dddd

(-D for foreground mode, -ddd for verbose debugging)

Try to connect via putty again, and watch the output from sshd. If putty is sending the keys for agent forwarding, you should see something about auth-agent-req@openssh.com. If you don't see that, then putty is not properly sending the key along for agent forwarding/requesting agent forwarding.

That should narrow down where the issue lies. You can also run 'ssh -vvv' from host1 for verbose debugging output while trying to ssh to host2.

(At this point, please remember to ctrl+C the foreground sshd process and restart it from your init scripts, otherwise you'll be locked out of your server!)

Justin Seabrook-Rocha
  • 336
  • 1
  • 3
4

The problem was in screen application. It was started by PuTTY on remove host with screen -d -RR(Connection/SSH/Remote Command). I found solution here and slightly modified it:

~/.bashrc:

# Correct screen and tmux behavior with ssh-agent
parent="$(ps -o comm --no-headers $PPID)"

case $parent in
sshd)
        keep_vars="SSH_CLIENT SSH_TTY SSH_AUTH_SOCK SSH_CONNECTION DISPLAY XAUTHORITY"
        touch $HOME/.ssh/keep_vars
        chmod 600 $HOME/.ssh/keep_vars
        for i in $keep_vars; do
                 (eval echo export $i=\\\'\$$i\\\')
        done > $HOME/.ssh/keep_vars
;;
screen|tmux)
        source $HOME/.ssh/keep_vars
;;
esac
# This command must be run from shell within detached and re-attached screen session
# to interact with ssh-agent properly
alias fixssh="source $HOME/.ssh/keep_vars"
alias ssh="source $HOME/.ssh/keep_vars; ssh"

Every time I connect, ssh agent variables are stored in $HOME/.ssh/keep_vars. Every newly opened window in screen can immediately connect to other machines with my key - it receive proper variables from screen. In old windows, I need to type fixssh and then try connecting.

U. Windl
  • 366
  • 3
  • 17
Selivanov Pavel
  • 2,206
  • 3
  • 26
  • 48
  • I do not understand the need for the line 'alias ssh="source $HOME/.ssh/keep_vars; ssh"' – Phil Aug 07 '14 at 07:19
  • I de-attach screen session and close ssh connection. Then I establish ssh connection again and re-attach screen session. SSH_AUTH_SOCK changed, but running in screen shell doesn't know about it. – Selivanov Pavel Aug 09 '14 at 00:01
  • As the original question did not mention `screen` at all, there were no chances for anyone to provide a correct answer. – U. Windl May 18 '21 at 06:12
0

I claim that Putty is using a different key than the one that is loaded into Pageant. Set a passphrase on your key, load it into Pageant and see if Putty still asks for a passphrase when connecting.

unixtippse
  • 880
  • 1
  • 6
  • 13