disabling the authentication agent?

Robert Mooney rjmooney at aboveground.cx
Mon Feb 4 09:57:32 EST 2002 

I have passwords on both accounts.  Let me rephrase:

If I log in to host1 from workstation w/ password auth, and
I log in to host2 from workstation w/ password auth, and
I try to ssh from host1 to host2, host2 asks for a password.

Fine.

If I log in to host1 from workstation w/ password auth, and
I log in to host2 from workstation w/ DSA public key auth, and
I try to ssh from host1 to host2, host2 allows me to login w/o a password.

Why?

The only key in host2's authorized_keys is workstation.  host1 doesn't have
a key pair generated for that account.

This leads me to believe the authentication agent is involved.  

Here is the ssh debug output from the host1 to host2 ssh:

debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key "Robert Mooney at workstation"
debug1: input_userauth_pk_ok: pkalg ssh-dss blen 819 lastkey 0x490a0 hint -1
debug1: ssh-userauth2 successful: method publickey

Is there any way to disable the authentication agent in the server config?
(There is a "no-agent-forwarding" option (see AUTHORIZED_KEYS FILE FORMAT in
sshd(8), but that appears to have no effect on a DSA key, and is at the user
level anyway.  I want to be able to shut the feature off globally.)

- Rob


: -----Original Message-----
: From: Markus Friedl [mailto:markus at openbsd.org]
: Sent: Sunday, February 03, 2002 12:32 PM
: To: Robert Mooney
: Cc: openssh-unix-dev at mindrot.org
: Subject: Re: disabling the authentication agent?
: 
: 
: On Fri, Feb 01, 2002 at 11:33:40PM -0500, Robert Mooney wrote:
: > 
: > Is there any way to disable the authentication agent globally?  I'm not
: > quite sure I understand it's purpose.  Here is some background info:
: > 
: > workstation: Key pair (dsa).
: > host1: No key pair.  No authorized_keys.
: > host2: Has my workstation's key in authorized_keys.
: > 
: > I ssh to host1 from my workstation.
: > I ssh to host2 from host1.  I am asked for a password.  Good.
: > I ssh to host2 from my workstation.  I am logged in via pubkey auth.
: > I relogin to host2 from host1.  I am not asked for a password.  Why?
: 
: host1 has not authorized_keys and you are not asked for a password?
: then you probably have a password-less account.
: 
: this has nothing to do with the 'authentication agent'.
:

More information about the openssh-unix-dev mailing list