It seems the certificate-based login doesn't work on both sides of the remote connection when using scp? Scenario: User on PC A can SSH login to PCs B and C with his certificate, no password prompt. When User on PC A runs a scp operation from B to C he's asked for the password on C.
Does the scp actually open a connection from B to C (User doesn't have a certificate on B)? This would explain the problem. I hoped to avoid such a problem by scping from a third machine that normally has certificate-based access to all machines.
Kai
Kai Schaetzl wrote:
It seems the certificate-based login doesn't work on both sides of the remote connection when using scp?
I think what your looking for is SSH agent forwarding
http://unixwiz.net/techtips/ssh-agent-forwarding.html
nate
Nate wrote on Mon, 29 Sep 2008 07:36:03 -0700 (PDT):
I think what your looking for is SSH agent forwarding
Thanks, the agent without forwarding might be enough. The article is a bit general, though. I hope I can actually make this work with the few details it gives.
Kai
On Tue, Sep 30, 2008 at 6:31 PM, Kai Schaetzl maillists@conactive.com wrote:
Thanks, the agent without forwarding might be enough. The article is a bit general, though. I hope I can actually make this work with the few details
nono, you need the agent forwarding for the first login (ssh -A ....), then then scp will (should) work, using the forwarded credentials to contact the agent on the initial machine.
BR Bent
Bent Terp wrote on Wed, 1 Oct 2008 12:11:53 +0200:
nono, you need the agent forwarding for the first login (ssh -A ....), then then scp will (should) work, using the forwarded credentials to contact the agent on the initial machine.
Ok, then I have to read that article again, thanks!
Kai
Short version: [user@machineA ~]$ ssh-add Enter passphrase for /home/user/.ssh/id_dsa: Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa) [user@machineA ~]$ ssh -A user@machineB Last login: Wed Sep 31 25:74:52 2008 from 127.0.0.1 [user@machineB ~]$ scp /tmp/CentOS.iso user@machineC:/tmp
;-)
Bent Terp wrote on Wed, 1 Oct 2008 13:53:44 +0200:
Short version:
Thanks for that! I seem to be doing something wrong.
chacha:~ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-pqqvN24337/agent.24337; export SSH_AUTH_SOCK; SSH_AGENT_PID=24338; export SSH_AGENT_PID; echo Agent pid 24338; chacha:~ ssh-add Could not open a connection to your authentication agent. chacha:~ ssh-agent -k SSH_AGENT_PID not set, cannot kill agent
Kai
On Oct 1, 2008, at 9:31 AM, Kai Schaetzl wrote:
Bent Terp wrote on Wed, 1 Oct 2008 13:53:44 +0200:
Short version:
Thanks for that! I seem to be doing something wrong.
chacha:~ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-pqqvN24337/agent.24337; export SSH_AUTH_SOCK; SSH_AGENT_PID=24338; export SSH_AGENT_PID; echo Agent pid 24338; chacha:~ ssh-add Could not open a connection to your authentication agent. chacha:~ ssh-agent -k SSH_AGENT_PID not set, cannot kill agent
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
You need to either:
select and paste (to execute) the first two lines generated by the ssh-agent command
or run
ssh-agent $SHELL
which will not need the above step, but will start another shell, so you will need to exit twice to logout.
If you are running GNOME, there is also the gnome-ssh-askpass
Tony Schreiner
Tony Schreiner wrote on Wed, 1 Oct 2008 11:01:23 -0400:
ssh-agent $SHELL
which will not need the above step, but will start another shell, so you will need to exit twice to logout.
This works, thanks. There's nothing of that mentioned in man ssh-agent. That also means I have to execute ssh-agent $SHELL and ssh-add each time I login and want to use forwarding, right?
If you are running GNOME, there is also the gnome-ssh-askpass
Not using a GUI.
Kai
On Oct 1, 2008, at 11:31 AM, Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 1 Oct 2008 11:01:23 -0400:
ssh-agent $SHELL
which will not need the above step, but will start another shell, so you will need to exit twice to logout.
This works, thanks. There's nothing of that mentioned in man ssh- agent. That also means I have to execute ssh-agent $SHELL and ssh-add each time I login and want to use forwarding, right?
As far as I know that's right. Though it can be scripted into your login. Tony
On Wed, 2008-10-01 at 11:37 -0400, Tony Schreiner wrote: ...
As far as I know that's right. Though it can be scripted into your login.
Been doing it so long I can't remember whom to credit, but I use the following snippet added to the end of ~/.bash_profile:
#*************************************************************# AGENTFILE=$HOME/.ssh/current-ssh-agent test -f $AGENTFILE && . $AGENTFILE if test -n "$SSH_AGENT_PID" \ && ps xo pid,comm | grep -q "$SSH_AGENT_PID ssh-agent$"; then if ssh-add -l >/dev/null; then # Everything seems OK. : else # Agent is running but knows no identities. echo SSH-AGENT: No identities. Remember to run ssh-add! fi else # No agent is running or AGENTFILE is lost - start a new one. if ps xo comm | grep -q "^ssh-agent$"; then echo SSH-AGENT: Stray ssh-agent? Killing it. killall -TERM ssh-agent fi echo SSH-AGENT: A new agent started. Remember to run ssh-add! ssh-agent | grep -v '^echo' >$AGENTFILE fi . $AGENTFILE unset AGENTFILE #*************************************************************#
and this to ~/.bash_logout:
#*************************************************************# if test $(w -hsf $(id -un) | wc -l) = 1; then ssh-add -D fi #*************************************************************#
For KDE one can use a script "ssh-add.sh" containing the following in ~/.kde/Autostart to prompt for the passphrase:
#!/bin/bash sleep 5 konsole --vt_sz 60x4--noframe --nomenubar --notoolbar --noscrollbar -e ssh-add
Watch for line-wraps on the above, and remember to $ chmod +x ~/.kde/Autostart/ssh-add.sh
Phil
On Wed, Oct 01, 2008 at 05:31:43PM +0200, Kai Schaetzl enlightened us:
Tony Schreiner wrote on Wed, 1 Oct 2008 11:01:23 -0400:
ssh-agent $SHELL
which will not need the above step, but will start another shell, so you will need to exit twice to logout.
This works, thanks. There's nothing of that mentioned in man ssh-agent. That also means I have to execute ssh-agent $SHELL and ssh-add each time I login and want to use forwarding, right?
Keychain handles that for you.
http://www.gentoo.org/proj/en/keychain/
Matt
Matt Hyclak wrote on Wed, 1 Oct 2008 11:52:14 -0400:
Keychain handles that for you.
Thanks for the info, no need for it anymore, though. I use Putty on Windows and connect to machine A and then scp from B to C. (That's why I said "no GUI".) So I needed agent forwarding from A to B to C. I just realized that Pageant (from Putty) provides agent forwarding if I set the sessions to allow this. So, I now connect directly to B and scp to C and don't need to run the agent on B anymore as the chain is short enough. The few times I need a forwarded session directly from the console I'll use the method Tony explained. Thank you both!
Kai
-
Bent Terp -
Kai Schaetzl -
Matt Hyclak -
nate -
Phil Schaffner -
Tony Schreiner