ssh-agent and protocol 2 ...
Primus
primus at gblx.net
Wed Dec 27 02:41:41 EST 2000
Tue Dec 26 13:27:33 GMT 2000
I posted the email only after searching the ssh
archives and not the 'dev' archives.
I am using OpenSSH-2.3.0
synopsis of problem:
3 machines: A,B,C
A: home machine where private and public RSA and DSA
keys have been generated.
B,C: only have authorized_keys and authorized_keys2 in ~/.ssh
containing public RSA and DSA keys
respecitvely.
server: OpenSSH-2.2.0p1
B: in ~/.ssh/config, Host entry for C created setting
ForwardAgent yes
ACLs do not permit direct access to C from A.
ssh-agent and ssh-add used on A.
using Protocol 1, I can ssh to B and subsequently ssh from B to C
and not have to enter a password or pass phrase on either.
using Protocol 2, I can ssh to B as before, but regardless of which
Protocol I set in B:~/.ssh/config for Host C, I am asked for a password
when connecting to C from B.
I found the following in the openssh-unix-dev
archives: does it still apply?
List: openssh-unix-dev
Subject: Re: ssh2 authentication and ip forwarding
From: Markus Friedl <markus.friedl at informatik.uni-erlangen.de>
Date: 2000-10-16 21:42:00
[Download message RAW]
agent forwarding is not in ssh2 since we don't do the
officical agent protocol (there is no spec) and since
we would have to do our own proprietary protocol for this.
but if someone sends 'clean' patches, we can add this to
openssh, of course.
Thanks.
-primus
On Tue, Dec 26, 2000 at 11:14:19AM +0100, Markus Friedl wrote:
| openssh-2.2 allows you to use the agent from
| the host where the agent is running.
|
| openssh-2.3 does support agent forwarding, too.
|
| -markus
|
| On Mon, Dec 25, 2000 at 08:31:36PM +0000, primus wrote:
| > Mon Dec 25 20:19:05 GMT 2000
| >
| > Greetings.
| >
| > I noticed that in OpenSSH_2.2.0, DSA keys were
| > allowed to be added to ssh-agent, however the
| > ability for allowing ForwardAgent does not yet
| > seem in place for protocol-2.
| >
| > I've noticed that when using protocol-2, no socket
| > is created in /tmp/ssh-*/, and consequently
| > SSH_AUTH_SOCK is not being set. Hence the ability
| > to ssh to another machine (using protocol-1 or
| > protocol-2) without being asked for a password is
| > lost.
| >
| > Is this something currently under development, or
| > is it just a completely bad idea? If the latter,
| > what are the technical reasons?
| >
| >
| > Cheers.
| >
| > --
| > primus
More information about the openssh-unix-dev
mailing list