SSH Agent Forwarding Troubleshooting (XShell 4) [2]
SSH Agent Forwarding Troubleshooting (XShell 4)
Wednesday, March 12, 2014 3:24 PM - Remi
I'm having a problem getting XShell 4 (build 0129) to properly support SSH Agent Forwarding. Specifically, I am unable to "proxy" the authentication details through any intermediary linux host.
Given my SSH key being active in XAgent on host A, I can connect successfully from host A to host B _and_ from host A to host C (so both hosts B and C accept my key).
Given my SSH key being active in XAgent on host A, I _cannot_ connect successfully from A -> B -> C.
In the above, host A is my laptop running Windows 7/XShell, and hosts B and C are Debian Linux (Wheezy) servers.
I have "Use Xagent" and "Launch Xagent automatically" enabled for all hosts.
The intermediary server ('B' in the above listing) does not have an "AllowAgentForwarding" entry in the sshd_config file, so it should default to enabled. I have tried configuring it with "AllowAgentForwarding yes", and it makes no difference (same thing, cannot forward credentials through the server).
The XShell trace of connecting from host A to host B is:
Connecting to 192.168.202.128:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[16:20:13] Version exchange initiated...
[16:20:13] server: SSH-2.0-OpenSSH_6.0p1 Debian-4
[16:20:13] client: SSH-2.0-nsssh2_4.0.0031 NetSarang Computer, Inc.
[16:20:13] SSH2 is selected.
[16:20:13] Algorithm negotiation initiated...
[16:20:13] key exchange: diffie-hellman-group14-sha1
[16:20:13] host key: ssh-dss
[16:20:13] outgoing encryption: aes128-cbc
[16:20:13] incoming encryption: aes128-cbc
[16:20:13] outgoing mac: hmac-sha1
[16:20:13] incoming mac: hmac-sha1
[16:20:13] outgoing compression: none
[16:20:13] incoming compression: none
[16:20:13] Host authentication initiated...
[16:20:13] Hostkey fingerprint:
[16:20:13] ssh-dsa 1024 43:6b:e7:3f:7d:46:ec:fc:03:03:d1:b7:92:dc:90:3b
[16:20:13] Accepted. Verifying host key...
[16:20:13] Verified.
[16:20:13] User authentication initiated...
[16:20:13] Sent user name '< SNIP - MY USERNAME >'.
[16:20:13] Server support public key authentication method.
[16:20:13] Trying to find ssh-agent...
[16:20:13] Xagent is running. Connecting to ssh-agent...
[16:20:13] Received 1 identity-blob(s) from ssh-agent.
[16:20:13] Trying next identity blob...
[16:20:13] Received PK_OK packet.
[16:20:13] Sent sign request to ssh-agent.
[16:20:13] Received a signature from ssh-agent.
[16:20:13] Access granted.
Further, here is the output from the command `ssh -T -v git@github.com` from host B (this should succeed via SSH agent forwarding; but it fails).
$ ssh -T -v git@github.com
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.252.128] port 22.
debug1: Connection established.
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_rsa type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_rsa-cert type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_dsa type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_dsa-cert type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_ecdsa type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6ubuntu0.1+github2
debug1: match: OpenSSH_6.2p2 Ubuntu-6ubuntu0.1+github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/< - SNIP MY USERNAME - >/.ssh/known_hosts:5
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/< - SNIP MY USERNAME - >/.ssh/id_rsa
debug1: Trying private key: /home/< - SNIP MY USERNAME - >/.ssh/id_dsa
debug1: Trying private key: /home/< - SNIP MY USERNAME - >/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
Any help is much appreciated.
Program Ver. : Xshell 4
Given my SSH key being active in XAgent on host A, I can connect successfully from host A to host B _and_ from host A to host C (so both hosts B and C accept my key).
Given my SSH key being active in XAgent on host A, I _cannot_ connect successfully from A -> B -> C.
In the above, host A is my laptop running Windows 7/XShell, and hosts B and C are Debian Linux (Wheezy) servers.
I have "Use Xagent" and "Launch Xagent automatically" enabled for all hosts.
The intermediary server ('B' in the above listing) does not have an "AllowAgentForwarding" entry in the sshd_config file, so it should default to enabled. I have tried configuring it with "AllowAgentForwarding yes", and it makes no difference (same thing, cannot forward credentials through the server).
The XShell trace of connecting from host A to host B is:
Connecting to 192.168.202.128:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[16:20:13] Version exchange initiated...
[16:20:13] server: SSH-2.0-OpenSSH_6.0p1 Debian-4
[16:20:13] client: SSH-2.0-nsssh2_4.0.0031 NetSarang Computer, Inc.
[16:20:13] SSH2 is selected.
[16:20:13] Algorithm negotiation initiated...
[16:20:13] key exchange: diffie-hellman-group14-sha1
[16:20:13] host key: ssh-dss
[16:20:13] outgoing encryption: aes128-cbc
[16:20:13] incoming encryption: aes128-cbc
[16:20:13] outgoing mac: hmac-sha1
[16:20:13] incoming mac: hmac-sha1
[16:20:13] outgoing compression: none
[16:20:13] incoming compression: none
[16:20:13] Host authentication initiated...
[16:20:13] Hostkey fingerprint:
[16:20:13] ssh-dsa 1024 43:6b:e7:3f:7d:46:ec:fc:03:03:d1:b7:92:dc:90:3b
[16:20:13] Accepted. Verifying host key...
[16:20:13] Verified.
[16:20:13] User authentication initiated...
[16:20:13] Sent user name '< SNIP - MY USERNAME >'.
[16:20:13] Server support public key authentication method.
[16:20:13] Trying to find ssh-agent...
[16:20:13] Xagent is running. Connecting to ssh-agent...
[16:20:13] Received 1 identity-blob(s) from ssh-agent.
[16:20:13] Trying next identity blob...
[16:20:13] Received PK_OK packet.
[16:20:13] Sent sign request to ssh-agent.
[16:20:13] Received a signature from ssh-agent.
[16:20:13] Access granted.
Further, here is the output from the command `ssh -T -v git@github.com` from host B (this should succeed via SSH agent forwarding; but it fails).
$ ssh -T -v git@github.com
OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.252.128] port 22.
debug1: Connection established.
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_rsa type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_rsa-cert type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_dsa type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_dsa-cert type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_ecdsa type -1
debug1: identity file /home/< - SNIP MY USERNAME - >/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6ubuntu0.1+github2
debug1: match: OpenSSH_6.2p2 Ubuntu-6ubuntu0.1+github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/< - SNIP MY USERNAME - >/.ssh/known_hosts:5
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/< - SNIP MY USERNAME - >/.ssh/id_rsa
debug1: Trying private key: /home/< - SNIP MY USERNAME - >/.ssh/id_dsa
debug1: Trying private key: /home/< - SNIP MY USERNAME - >/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).
Any help is much appreciated.
Program Ver. : Xshell 4
Re: SSH Agent Forwarding Troubleshooting (XShell 4)
Thursday, March 13, 2014 11:03 PM - Support
I have tested it myself and agentforwarding should work as described in this article:
https://help.github.com/articles/generating-ssh-keys
Have you added your public key at https://github.com/settings/ssh? Debug information indicates it couldn't find a matching user key.
---
Technical Support
Facebook: http://facebook.com/netsarang
https://help.github.com/articles/generating-ssh-keys
Have you added your public key at https://github.com/settings/ssh? Debug information indicates it couldn't find a matching user key.
---
Technical Support
Facebook: http://facebook.com/netsarang
Re: SSH Agent Forwarding Troubleshooting (XShell 4)
Thursday, March 20, 2014 7:25 PM - Remi
I can confirm that it does work -- took me a while to sort out exactly what was happening, but the problem was not XShell.
The issue was that unanticipated changes were happening to SSH_AUTH_SOCK/SSH_AGENT_PID on login to the intermediary host, and thus the authentication requests were never making it successfully to XAgent.
Now that I've stopped the unexpected changes to SSH_AUTH_SOCK and/or SSH_AGENT_PID, it all works correctly.
Thanks!
The issue was that unanticipated changes were happening to SSH_AUTH_SOCK/SSH_AGENT_PID on login to the intermediary host, and thus the authentication requests were never making it successfully to XAgent.
Now that I've stopped the unexpected changes to SSH_AUTH_SOCK and/or SSH_AGENT_PID, it all works correctly.
Thanks!
Previous views: 465