ssh-agent and protocol 2 ...

Markus Friedl markus.friedl at informatik.uni-erlangen.de
Wed Dec 27 23:08:32 EST 2000 

As i wrote in my previous message:

> openssh-2.2 allows you to use the agent from
> the host where the agent is running.
> 
> openssh-2.3 does support agent forwarding, too.

this explains your problems. you have to upgrade
the server to 2.3.x if you want to use agent-forwarding.


On Tue, Dec 26, 2000 at 03:41:41PM +0000, Primus wrote:
> Tue Dec 26 13:27:33 GMT 2000
> 
> I posted the email only after searching the ssh
> archives and not the 'dev' archives.
> 
> I am using OpenSSH-2.3.0
> 
> synopsis of problem:
> 
> 3 machines:  A,B,C
> 	A:	home machine where private and public RSA and DSA
> 		keys have been generated.
> 
> 	B,C:	only have authorized_keys and authorized_keys2 in ~/.ssh
> 		containing public RSA and DSA keys
> 		respecitvely.
> 		server: OpenSSH-2.2.0p1
> 
> 	B:	in ~/.ssh/config,  Host entry for C created setting
> 		ForwardAgent yes
> 
> ACLs do not permit direct access to C from A.
> 
> ssh-agent and ssh-add used on A.
> using Protocol 1, I can ssh to B and subsequently ssh from B to C
> and not have to enter a password or pass phrase on either.
> 
> using Protocol 2, I can ssh to B as before,  but regardless of which 
> Protocol I set in B:~/.ssh/config for Host C,  I am asked for a password
> when connecting to C from B.
> 
> 
> I found the following in the openssh-unix-dev
> archives:  does it still apply?
> 
> 	List:     openssh-unix-dev
> 	Subject:  Re: ssh2 authentication and ip forwarding
> 	From:     Markus Friedl <markus.friedl at informatik.uni-erlangen.de>
> 	Date:     2000-10-16 21:42:00
> 	[Download message RAW]
> 
> 	agent forwarding is not in ssh2 since we don't do the
> 	officical agent protocol (there is no spec) and since
> 	we would have to do our own proprietary protocol for this.
> 	but if someone sends 'clean' patches, we can add this to
> 	openssh, of course.
> 
> Thanks. 
> 
> 
> -primus
> 
> 
> 
> On Tue, Dec 26, 2000 at 11:14:19AM +0100, Markus Friedl wrote:
> | openssh-2.2 allows you to use the agent from
> | the host where the agent is running.
> | 
> | openssh-2.3 does support agent forwarding, too.
> | 
> | -markus
> | 
> | On Mon, Dec 25, 2000 at 08:31:36PM +0000, primus wrote:
> | > Mon Dec 25 20:19:05 GMT 2000
> | > 
> | > Greetings.
> | > 
> | > I noticed that in OpenSSH_2.2.0,  DSA keys were
> | > allowed to be added to ssh-agent,  however the
> | > ability for allowing ForwardAgent does not yet
> | > seem in place for protocol-2.
> | > 
> | > I've noticed that when using protocol-2, no socket
> | > is created in /tmp/ssh-*/,  and consequently
> | > SSH_AUTH_SOCK is not being set.  Hence the ability
> | > to ssh to another machine (using protocol-1 or
> | > protocol-2) without being asked for a password is
> | > lost.
> | > 
> | > Is this something currently under development,  or
> | > is it just a completely bad idea?  If the latter,
> | > what are the technical reasons?
> | > 
> | > 
> | > Cheers.
> | > 
> | > -- 
> | > primus

More information about the openssh-unix-dev mailing list