You're right. I switched to ssh1/rsa keys and agent forwarding now works.
It's a shame, though. Agent authentication for dsa keys has been working
for some time now. Is forwarding in the works and just not implemented, or
is there some deeper issue that's preventing this from happening?
--
Don Faulkner, KB5WPM |
| "All that is gold does not glitter."
( This space unintentionally | "not all those who wander are lost."
left blank ) | --J.R.R. Tolkien
On Wed, 14 Feb 2001, tc lewis wrote:
>
> i thought agent forwarding didn't work with ssh2/dsa keys. am i mistaken?
>
> -tcl.
>
>
> On Tue, 13 Feb 2001, Don Faulkner wrote:
>
> > Anne,
> >
> > Thanks for the suggestion. I always forget about easy things like debug
> > On OpenSSH, (I'm running openssh 2.3.0 p1) it's '-v'
> >
> > I do have DSA authentication enabled on all machines. Before they were
> > moved into their current configuration (with system2 now 'behind'
> > system1), I was able to ssh to both system and DSA authenticate. Of
> > course, in that case, the agent isn't forwarding, but talking directly to
> > sshd on the particular machine.
> >
> > (My apologies to the list for the following debug output. I've clipped
> > things I don't think are important to the discussion.)
> >
> > Here's how it works now:
> >
> > [def@laptop def]$ ssh -v system1
> > debug: Reading configuration data /home/def/.ssh/config
> > debug: Applying options for *
> > debug: Reading configuration data /etc/ssh/ssh_config
> > debug: Seeding random number generator
> > ...
> > debug: Host 'system1' is known and matches the DSA host key.
> > ...
> > debug: GOT SSH2_MSG_NEWKEYS.
> > debug: send SSH2_MSG_NEWKEYS.
> > debug: done: send SSH2_MSG_NEWKEYS.
> > debug: done: KEX2.
> > debug: send SSH2_MSG_SERVICE_REQUEST
> > debug: service_accept: ssh-userauth
> > debug: got SSH2_MSG_SERVICE_ACCEPT
> > debug: authentications that can continue: publickey,password
> > debug: trying DSA agent key /home/def/.ssh/id_dsa
> > debug: ssh-userauth2 successfull
> > ...
> > [def@system1 def]$ ssh -v system2
> > debug: Reading configuration data /etc/ssh/ssh_config
> > debug: Seeding random number generator
> > ...
> > debug: Host 'system2' is known and matches the DSA host key.
> > ...
> > debug: dsa_verify: signature correct
> > debug: Wait SSH2_MSG_NEWKEYS.
> > debug: GOT SSH2_MSG_NEWKEYS.
> > debug: send SSH2_MSG_NEWKEYS.
> > debug: done: send SSH2_MSG_NEWKEYS.
> > debug: done: KEX2.
> > debug: send SSH2_MSG_SERVICE_REQUEST
> > debug: service_accept: ssh-userauth
> > debug: got SSH2_MSG_SERVICE_ACCEPT
> > debug: authentications that can continue: publickey,password
> > debug: next auth method to try is publickey
> > debug: key does not exist: /home/def/.ssh/id_dsa
> > debug: next auth method to try is password
> > def@web2's password:
> >
> >
> >
> > --
> > Don Faulkner, KB5WPM |
> > | "All that is gold does not glitter."
> > ( This space unintentionally | "not all those who wander are lost."
> > left blank ) | --J.R.R. Tolkien
> >
> > On Tue, 13 Feb 2001 [EMAIL PROTECTED] wrote:
> >
> > > Hi Don,
> > >
> > > Here's some thoughts on this. Do you have public key authentication defined on
>the server side?
> > >
> > > Run your clinet and server in debug mode (I think it's -D with OpenSSH) and see
>what that tells you when you try to connect.
> > >
> > > -Anne
> > >
> > >
> > > On Tue, Feb 13, 2001 at 11:19:02AM -0800, Don Faulkner wrote:
> > > > First time I've tried this, so I'm probably really confused.
> > > >
> > > > I've had ssh-agent working on my laptop for some time. Now, I want to ssh
> > > > to system1, and from my shell on system1, ssh to system2.
> > > >
> > > > So I do
> > > > laptop$ eval `ssh-agent`
> > > > laptop$ ssh-add $HOME/.ssh/id_dsa
> > > > laptop$ ssh system1
> > > >
> > > > system1$ ssh system2
> > > > enter password for user@system2:
> > > >
> > > > What am I doing wrong here? Do I need to start an ssh-agent as part of my
> > > > logon process in system1? or is there something else going on?
> > > >
> > > > --
> > > > Don Faulkner, KB5WPM |
> > > > | "All that is gold does not glitter."
> > > > ( This space unintentionally | "not all those who wander are lost."
> > > > left blank ) | --J.R.R. Tolkien
> > > >
> > > >
> > > ------------------------------------------------------------------------
> > > Anne Carasik | An unsophisticated forecaster uses
> > > Principal Security Consultant | statistics as a drunken man uses
> > > SSH Communications Security, Inc. | lamp-posts - for support rather than
> > > Email: [EMAIL PROTECTED] | for illumination. -Andrew Lang
> > > ------------------------------------------------------------------------
> > > Unless stated otherwise above, the opinions expressed herein are my own,
> > > not of my employer.
> > >
