ssh-agent and protocol 2 ...

Primus primus at gblx.net
Wed Dec 27 02:41:41 EST 2000 

Tue Dec 26 13:27:33 GMT 2000

I posted the email only after searching the ssh
archives and not the 'dev' archives.

I am using OpenSSH-2.3.0

synopsis of problem:

3 machines:  A,B,C
	A:	home machine where private and public RSA and DSA
		keys have been generated.

	B,C:	only have authorized_keys and authorized_keys2 in ~/.ssh
		containing public RSA and DSA keys
		respecitvely.
		server: OpenSSH-2.2.0p1

	B:	in ~/.ssh/config,  Host entry for C created setting
		ForwardAgent yes

ACLs do not permit direct access to C from A.

ssh-agent and ssh-add used on A.
using Protocol 1, I can ssh to B and subsequently ssh from B to C
and not have to enter a password or pass phrase on either.

using Protocol 2, I can ssh to B as before,  but regardless of which 
Protocol I set in B:~/.ssh/config for Host C,  I am asked for a password
when connecting to C from B.


I found the following in the openssh-unix-dev
archives:  does it still apply?

	List:     openssh-unix-dev
	Subject:  Re: ssh2 authentication and ip forwarding
	From:     Markus Friedl <markus.friedl at informatik.uni-erlangen.de>
	Date:     2000-10-16 21:42:00
	[Download message RAW]

	agent forwarding is not in ssh2 since we don't do the
	officical agent protocol (there is no spec) and since
	we would have to do our own proprietary protocol for this.
	but if someone sends 'clean' patches, we can add this to
	openssh, of course.

Thanks. 


-primus



On Tue, Dec 26, 2000 at 11:14:19AM +0100, Markus Friedl wrote:
| openssh-2.2 allows you to use the agent from
| the host where the agent is running.
| 
| openssh-2.3 does support agent forwarding, too.
| 
| -markus
| 
| On Mon, Dec 25, 2000 at 08:31:36PM +0000, primus wrote:
| > Mon Dec 25 20:19:05 GMT 2000
| > 
| > Greetings.
| > 
| > I noticed that in OpenSSH_2.2.0,  DSA keys were
| > allowed to be added to ssh-agent,  however the
| > ability for allowing ForwardAgent does not yet
| > seem in place for protocol-2.
| > 
| > I've noticed that when using protocol-2, no socket
| > is created in /tmp/ssh-*/,  and consequently
| > SSH_AUTH_SOCK is not being set.  Hence the ability
| > to ssh to another machine (using protocol-1 or
| > protocol-2) without being asked for a password is
| > lost.
| > 
| > Is this something currently under development,  or
| > is it just a completely bad idea?  If the latter,
| > what are the technical reasons?
| > 
| > 
| > Cheers.
| > 
| > -- 
| > primus

More information about the openssh-unix-dev mailing list