2

I'm having a ridiculous amount of difficulty getting SSH agent forwarding to work effectively for two users.

Both can login to a remote servers without a problem, and it looks like their agents are being forwarded properly (on the server, "echo $SSH_AGENT_SOCK" returns a reference to a socket stored on /tmp/ssh-blahblahbla/agent.blahblah), but neither user can ssh into other servers after landing on any other server first via ssh, nor can they pull from a git repo hosted & accessed via ssh.

All of these things work fine for all other users. The only difference I have noticed, is that for some inexplicable reason, after these problem users ssh into the first server and try to connect to a second, the ssh verbose output shows the following:

  debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ubuntu/.ssh/identity ((nil))
debug2: key: /home/ubuntu/.ssh/id_rsa ((nil))
debug2: key: /home/ubuntu/.ssh/id_dsa (0x7ff42705ab40)
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ubuntu/.ssh/identity
debug3: no such identity: /home/ubuntu/.ssh/identity
debug1: Trying private key: /home/ubuntu/.ssh/id_rsa
debug3: no such identity: /home/ubuntu/.ssh/id_rsa
debug1: Offering public key: /home/ubuntu/.ssh/id_dsa

For successful users, the first few lines reference the socket in /tmp from their $SSH_AUTH_SOCK. I'm baffled, any help on where to start looking?

Also, for reference, it's not necessarily key specific. For one user, I've tried generating two new keys (one of different type, one of different encryption), none of which work.

Thoughts?

user1028587
  • 61
  • 1
  • 5
  • do any of those users have anything in ~/.ssh/config? what are the exact commands you use to connect to remote hosts? – Fox Dec 15 '11 at 23:32
  • Nope, I forgot to mention that I checked there, too. Additionally, before anyone asks, I am manually forwarding using ssh -A in all cases. – user1028587 Dec 16 '11 at 04:51
  • When you say two users, you've confirmed it works for other users and not just these two? Also how does the output of "ssh-add -l" compare locally and on the remote box you ssh -A into? Locally when you run "ps uf | grep ssh-agent" do you get multiple returns? – Glen Dec 16 '11 at 11:04
  • Thanks @Glen, that was the right direction. I guess I assumed that the presence of $HTTP_AUTH_SOCK implied an identity, though that was obviously wrong. I'm posting a more detailed answer below. – user1028587 Dec 16 '11 at 14:49

1 Answers1

4

I discovered that neither user had an identity, despite the agent key being forwarded.

Check on local machine using:

ssh-add -L

If you see: The agent has no identities.

You may also need to type:

ssh-add

That solved our issue. I hope it helps somebody else.

In one case, the user had a local identity, but it was not for the key he was using, but an alternate key used in a different environment. Since he could agent forward as expected in this environment, it gave us the impression that the issue was on the server end. To add a specific identity, we used

ssh-add ~/.ssh/his-alternate-keyfile
user1028587
  • 61
  • 1
  • 5