[lug] ssh-agent / ssh-add and picking up credentials used to log into remote system
Bear Giles
bgiles at coyotesong.com
Tue Nov 21 10:34:23 MST 2017
I wasn't able to get the second approach to work. I got the first approach
to work after adding the sshd entry and realizing I needed to eval
`ssh-add` instead of just calling it.
Thanks for the help.
On Mon, Nov 20, 2017 at 6:43 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> On 11/20/2017 03:14 PM, Zan Lynx wrote:
> > On Mon, Nov 20, 2017 at 03:31:37PM -0700, Bear Giles wrote:
> >> Hi, I'm sure I had this working before but I've hit it again with a new
> >> jump host on AWS. I know there's a way to set up ssh-agent and ssh-add
> so I
> >> can carry the credentials through ssh calls but I'm missing it at the
> >> moment.
> >>
> >> I have 'ForwardAgent yes' in my .ssh/config file and run ssh-agent and
> >> ssh-add in my .profile. (more precisely I've added "eval `ssh-agent
> -s`").
> >> However the list of identities is empty.
> >>
> >> What am I missing?
> >
> > Don't forget to turn on ForwardAgent on the jump host as well. You need
> > to keep forwarding the agent.
> >
> > It's also possible that the OS on the jump host has disabled forwarding
> > in the sshd for some security reason. That's AllowAgentForwarding in
> > sshd_config.
> >
> > And if you've copied your profile around make sure you only run an
> > ssh-agent if you don't already have one. It's possible you are running
> > another one and overwriting the environment variable. The new agent
> > won't have your keys.
>
> All good things to check for this, but personally, I would advise
> against using ssh-agent at all in this case. Anyone who has root on any
> host you have sshed into can use your agent as they like while you are
> connected.
>
> Instead, you should just use nc on the jump host:
>
> Host your-internal-hostname-or-ip
> HostName %h
> ProxyCommand ssh -q yourusename at your-jump-host /usr/bin/nc %h 22
>
> This way you never have to forward your agent, instead ssh connects to
> the jump host and runs nc and connects to the internal host over that.
>
> This will of course fail to work if you have multiple levels of
> things... ie, jump-host -> internal-other-jumphost -> target but it
> works fine for 1 level and makes you a little bit more secure.
>
> kevin
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20171121/c77afddb/attachment.html>
More information about the LUG
mailing list