2

Intent: To be able to deploy to lan-example.com from any dev environment; whether it be directly from the virtual OS, or any single-OS system, or even over the internet using ONE SSH key stored in Keepass. I'm currently unable to do so from within Vagrant's OS unless I explicitly generate its own key and authorize it in each of my deployment servers. I believe the way to do what I want is through User Agent Forwarding, yes?

Host OS

  • Windows 7 x64
  • SSH key generated by puttygen: C:\Users\Administrator\.ssh\id_rsa.ppk
  • Keepass with Keeagent storing my SSH key. Keeagent is set to "Agent" mode
  • pageant.exe is installed but is not running
  • If I wish to connect to outside/internal LAN servers using my key, Putty defers to Keeagent - Putty does not store the private key locations in its configuration.

C:\Users\Administrator.ssh\config

Host 192.168.55.2
  ForwardAgent yes

Vagrantfile

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.network :private_network, ip: '192.168.55.2'
  config.ssh.forward_agent = true
  # Why would I need to set this if Keeagent is handling things?
  config.ssh.private_key_path = '~/.ssh/id_rsa_jake_mitchell.ppk'
end

Guest OS (Vagrant)

  • Ubuntu x64
  • 192.168.55.2, accessible through host only
  • No SSH keys exist in /home/vagrant/.ssh (I removed them). The intent is to let User Agent Forwarding through the host OS (Keeagent) take care of using the key

LAN Web Host (intranet websites)

  • Let's say its domain is lan-example.com
  • It allows SSH passwordless login only using id_rsa.ppk public key
  • 192.168.0.2
  • User Agent Forwarding is enabled in sshd

Problem:

What works (using Host OS): Putty, connecting to lan-example.com without the need to explicitly reference the SSH key.

What doesn't work (using Guest OS): ssh -v web-server@lan-example.com as it shows that there aren't any keys to use.

I've noticed something about the beta version of Keeagent that allows me to set the SSH_AUTH_SOCK. I've done so, and set up an NFS share that allows the guest OS to read the file; however this doesn't change anything. How does agent forwarding even work in this type of environment? What's different about Windows that causes this to fail?

JakeTheSnake
  • 363
  • 1
  • 8
  • 19
  • It isn't clear to me what you are using to connect between the 'host' and 'client' systems. Not all SSH clients are made the same. Is your tool using plink, a cygwin ssh client, or something else? Cygwin based ssh clients are not usually compatible with the Putty agent. – Zoredache Jan 27 '15 at 23:11
  • That's actually a very good question. The host OS (Windows) - I don't specifically know how Keeagent takes control as the SSH agent. As stated I have plink.exe installed but it's never active. What you can glean from this link is all I can add: http://lechnology.com/software/keeagent/. However with the client OS (Ubuntu) which resides inside of VirtualBox (via Vagrant setup) uses the standard open-ssh library. To be clear, my host OS uses Vagrant to load Ubuntu. I want to pass the credentials from the host OS to Ubuntu in the VM via Agent Forwarding. – JakeTheSnake Jan 28 '15 at 00:46
  • And what looks to be their source: https://github.com/dlech/KeeAgent – JakeTheSnake Jan 28 '15 at 00:49
  • I am not asking about keeagent. I am not asking about what software is running on your Linux machine. I am asking what program is making the SSH connection on the Windows host. – Zoredache Jan 28 '15 at 00:51
  • That's what I though I answered to. Ignoring the VM setup - Let's say I want to SFTP using FileZilla; Keeagent takes care of that. I don't have an SSH agent running other than Keeagent; though I don't know what process Keeagent creates/utilizes to do its thing. Maybe Keeagent temporarily utilizes plink, I don't know. I kept the process window open while I made a connection with FileZilla but I didn't see plink.exe show up anywhere. This is all on Windows (host OS). – JakeTheSnake Jan 28 '15 at 00:59
  • `Let's say I want to SFTP using FileZilla; Keeagent takes care of that.` - This is where I think we are getting lost. Keeagent/Pagent **only handles the authentication** for filezilla. It isn't opening the tcp connection, handling the encryption, opening tunnel, or handle the sftp service. There are several different SSH clients that will run on Windows. Putty/Plink, filezilla, a few commercial ones, and the cygwin based ssh clients. The cygwin based ssh clients cannot use cygwin. You must run a cygwin based agent for. So what are you using to using? Not what authentication agent. – Zoredache Jan 28 '15 at 08:42
  • I have cygwin installed as well as plink. I take it you're saying that it's up to the application (Filezilla, SoureTree, Vagrant/Ubuntu) to choose which SSH agent it uses? How is the authorization executable communicating with the ssh-agent? – JakeTheSnake Jan 28 '15 at 15:54

1 Answers1

1

Sharing socket file through network file system won't work, as Windows socket and Linux socket are entirely different beasts — Linux inside VM would not know how to use Windows sockets. To make sure VM can utilize authentication agent on host, one needs to enable agent forwarding on both ssh client and server, then ssh into VM via host (not directly login on VM console).

Assuming:

  1. SSH server agent forwarding setup is done, according to original post (I haven't used Vagrant so can't tell);
  2. Keeagent setup is done and running (I have tried client mode but there are some problems dealing with non-RSA/DSA keys so agent mode is safer);

Under putty profile setup, tick option "Allow agent forwarding" under Connection → SSH → Auth in order to turn on agent forwarding for client. Alternatively, if Cygwin ssh is used on host, then there are 2 choices:

  1. Install ssh-pageant and make it start automatically with cygwin (in ~/.profile and the like).
  2. Specify desired Windows socket file location in Keeagent setup and set $SSH_AUTH_SOCK variable in cygwin to corresponding location.

To check if agent forwarding is working or not, ssh into VM and check the variable $SSH_AUTH_SOCK. If it's non-empty and pointing to a Linux socket file that exists, then everything is supposed to be fine. If the variable is empty then something is missing.

Abel Cheung
  • 251
  • 1
  • 9