{ssh-agent}

manage authentications for ssh

12 02 2023

start agent

# Start SSH Agent
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-QiBK03s2faxa/agent.3369; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9866; export SSH_AGENT_PID;
echo Agent pid 9866;

# Export SSH_AUTH_SOCK & SSH_AGENT_PID
$ SSH_AUTH_SOCK=/tmp/ssh-QiBK03s2faxa/agent.3369; export SSH_AUTH_SOCK;
$ SSH_AGENT_PID=9866; export SSH_AGENT_PID;

# List Identities
$ ssh-add -L
The agent has no identities.

# Add Identity
$ ssh-add .ssh/id_ed25519_user
Enter passphrase for .ssh/id_ed25519:
Identity added: .ssh/id_ed25519 (someuser@somehost)

# List Identities
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB35GXSghCQL9rLimIxMegUA5WV61tVNvuqTlL8ViljE someuser@somehost
# PRESENTING CODE

connect to ssh host

# Connect to remote host
$ ssh -A -v localhost
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: someuser@somehost ED25519 SHA256:vKcy/yrWzlfpvrmO809K1JZieoylv4t3/hHFDxsa6bc agent
debug1: Server accepts key: someuser@somehost ED25519 SHA256:vKcy/yrWzlfpvrmO809K1JZieoylv4t3/hHFDxsa6bc agent
Authenticated to localhost ([127.0.0.1]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/hansli/.ssh/known_hosts for localhost / (none)
debug1: client_input_hostkeys: searching /home/hansli/.ssh/known_hosts2 for localhost / (none)
debug1: client_input_hostkeys: hostkeys file /home/hansli/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Remote: /home/hansli/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/hansli/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Requesting authentication agent forwarding.
Last login: Sun Feb 12 17:35:22 2023 from 127.0.0.1
# PRESENTING CODE

confirm

# Check Env Variable
$ env |grep SSH |sort
SSH_AUTH_SOCK=/tmp/ssh-grF3adN7qr/agent.91951
SSH_CLIENT=127.0.0.1 36206 22
SSH_CONNECTION=127.0.0.1 36206 127.0.0.1 22
SSH_TTY=/dev/ttyp1


# Check SUID Bit
$ ls -la /tmp/ssh-grF3adN7qr/agent.91951
srwxr-xr-x  1 user  group 0 Feb 12 17:35 /tmp/ssh-grF3adN7qr/agent.91951

$ w
 5:51PM  up 6 days, 20:45, 2 users, load averages: 0.01, 0.02, 0.00
USER    TTY FROM              LOGIN@  IDLE WHAT
stoege   p0 192.168.108.100   5:28PM     0 ssh -A localhost -v 
user     p1 127.0.0.1         5:35PM     0 w
# PRESENTING CODE

ssh to myself

$ ssh -A localhost

$ w
 5:53PM  up 6 days, 20:47, 3 users, load averages: 0.14, 0.05, 0.01
USER    TTY FROM              LOGIN@  IDLE WHAT
stoege   p0 192.168.108.100   5:28PM     0 ssh -A localhost 
user     p1 127.0.0.1         5:52PM     0 ssh -A localhost 
user     p2 127.0.0.1         5:53PM     0 w 

$ ssh -A localhost

$ w
 5:53PM  up 6 days, 20:48, 4 users, load averages: 0.16, 0.06, 0.01
USER    TTY FROM              LOGIN@  IDLE WHAT
stoege   p0 192.168.108.100   5:28PM     0 ssh -A localhost 
user     p1 127.0.0.1         5:52PM     0 ssh -A localhost 
user     p2 127.0.0.1         5:53PM     0 ssh -A localhost 
user     p3 127.0.0.1         5:53PM     0 w 
# PRESENTING CODE

does not make sense, but confirms that ssh forwarding (-A) is working ...

ssh to myself, without Agent Forwarding

$ w
 5:57PM  up 6 days, 20:51, 2 users, load averages: 0.04, 0.04, 0.00
USER    TTY FROM              LOGIN@  IDLE WHAT
stoege   p0 192.168.108.100   5:28PM     0 ssh -A localhost 
user     p1 127.0.0.1         5:52PM     0 w 

$ ssh localhost

$ w
 5:57PM  up 6 days, 20:51, 3 users, load averages: 0.12, 0.06, 0.01
USER    TTY FROM              LOGIN@  IDLE WHAT
stoege   p0 192.168.108.100   5:28PM     0 ssh -A localhost 
user     p1 127.0.0.1         5:52PM     0 ssh localhost 
user     p2 127.0.0.1         5:57PM     0 w 

$ ssh localhost
userlocalhost: Permission denied (publickey,keyboard-interactive).

$ env |grep SSH |sort
SSH_CLIENT=127.0.0.1 13423 22
SSH_CONNECTION=127.0.0.1 13423 127.0.0.1 22
SSH_TTY=/dev/ttyp2
# PRESENTING CODE

no AUTH_SSH_SOCKET Variable ...

Get in touch

or check my blog ...

https://blog.stoege.net

twitter: @stoege

mastodon: @stoege@bsd.network