Re: [Jailkit-users] ssh agent forwarding difficulties

jailkit-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] ssh agent forwarding difficulties

From:	Valdemar Lemche
Subject:	Re: [Jailkit-users] ssh agent forwarding difficulties
Date:	Sun, 05 Aug 2007 13:38:46 +0200
User-agent:	Thunderbird 2.0.0.6 (Windows/20070728)
Valdemar Lemche wrote:
> I followed the howto, Jailkit howto - creating an SSH only shell in a
> chroot jail
>
> Does anyone have any bright ideas how to do ssh agent forwarding from a
> client, through a bastion host, using a jailkit user, to a final server?
>
> Of course it works fine to the bastion host, but from the bastion host
> to the final server things are not going to well.
>
> The agent socket is written to the not chroot'ed /tmp, so I tried
> copying it to <chroot'ed>/tmp using "cp -r `dirname $SSH_AUTH_SOCK`
> /chrootusers/tmp" in /etc/ssh/sshrc.
>
> The socket is copied correctly with the right permissions and
> everything. But for some reason it still doesnt work:
>
> This is the output from my putty when I run the remote command "ssh -v
> -a address@hidden"
>
> <snip>
> Using username "keymaster".
> Authenticating with public key "Valdemar Lemche <address@hidden>"
> from agent
> OpenSSH_4.6p1 Debian-4, OpenSSL 0.9.8e 23 Feb 2007
> debug1: Reading configuration data /home/keymaster/.ssh/config
> debug1: Applying options for *
> debug1: Connecting to wheezy [192.168.1.1] port 22.
> debug1: Connection established.
> debug1: identity file /home/keymaster/.ssh/identity type -1
> debug1: identity file /home/keymaster/.ssh/id_rsa type -1
> debug1: identity file /home/keymaster/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_4.6p1 Debian-4
> debug1: match: OpenSSH_4.6p1 Debian-4 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-4
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'wheezy' is known and matches the RSA host key.
> debug1: Found key in /home/keymaster/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/keymaster/.ssh/identity
> debug1: Trying private key: /home/keymaster/.ssh/id_rsa
> debug1: Trying private key: /home/keymaster/.ssh/id_dsa
> debug1: No more authentication methods to try.
> Permission denied (publickey).
> </snip>
>
> I've run out of idea ...
>
>
>
>
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users
>   
Erhm ... oops "ssh -a ..." disables agent forwarding ... It was supposed
to be "ssh -A ...". Though it still doesn't work:

This is the output from my putty when I run the remote command "ssh -v
-A address@hidden"

Using username "keymaster".
Authenticating with public key "Valdemar Lemche <address@hidden>"
from agent
OpenSSH_4.6p1 Debian-4, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /home/keymaster/.ssh/config
debug1: Applying options for *
debug1: Connecting to wheezy [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/keymaster/.ssh/identity type -1
debug1: identity file /home/keymaster/.ssh/id_rsa type -1
debug1: identity file /home/keymaster/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.6p1 Debian-4
debug1: match: OpenSSH_4.6p1 Debian-4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'wheezy' is known and matches the RSA host key.
debug1: Found key in /home/keymaster/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/keymaster/.ssh/identity
debug1: Trying private key: /home/keymaster/.ssh/id_rsa
debug1: Trying private key: /home/keymaster/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).


This is the entries in the putty event log:

2007-08-05 13:35:17    Looking up host "gatekeeper.se.lemche.net"
2007-08-05 13:35:17    Connecting to 192.168.4.85 port 22
2007-08-05 13:35:17    Server version: SSH-2.0-OpenSSH_4.6p1 Debian-4
2007-08-05 13:35:17    We claim version: SSH-2.0-PuTTY_Release_0.60
2007-08-05 13:35:17    Using SSH protocol version 2
2007-08-05 13:35:17    Doing Diffie-Hellman group exchange
2007-08-05 13:35:17    Doing Diffie-Hellman key exchange with hash SHA-256
2007-08-05 13:35:18    Host key fingerprint is:
2007-08-05 13:35:18    ssh-rsa 2048
55:c3:06:6d:9f:38:5a:83:e2:08:a2:af:87:4f:19:65
2007-08-05 13:35:18    Initialised AES-256 SDCTR client->server encryption
2007-08-05 13:35:18    Initialised HMAC-SHA1 client->server MAC algorithm
2007-08-05 13:35:18    Initialised AES-256 SDCTR server->client encryption
2007-08-05 13:35:18    Initialised HMAC-SHA1 server->client MAC algorithm
2007-08-05 13:35:18    Pageant is running. Requesting keys.
2007-08-05 13:35:18    Pageant has 1 SSH-2 keys
2007-08-05 13:35:18    Writing new session log (ASCII mode) to file:
C:\Documents and Settings\Administrator\Local Settings\PuTTY
Logs\gatekeeper.se.lemche.net-20070805-133518.log
2007-08-05 13:35:18    Trying Pageant key #0
2007-08-05 13:35:18    Sending Pageant's response
2007-08-05 13:35:18    Access granted
2007-08-05 13:35:18    Opened channel for session
2007-08-05 13:35:18    Requesting X11 forwarding
2007-08-05 13:35:18    X11 forwarding enabled
2007-08-05 13:35:18    Requesting OpenSSH-style agent forwarding
2007-08-05 13:35:18    Agent forwarding enabled
2007-08-05 13:35:18    Allocated pty (ospeed 38400bps, ispeed 38400bps)
2007-08-05 13:35:18    Started a shell/command
2007-08-05 13:35:18    Server sent command exit status 255
2007-08-05 13:35:19    Disconnected: All channels closed


For reference; this is the syslog entries on my syslog server related to
sshd:
Aug  5 13:35:17 gatekeeper sshd[8902]: debug1: rexec start in 4 out 4
newsock 4 pipe 6 sock 7
Aug  5 13:35:17 gatekeeper sshd[8468]: debug1: Forked child 8902.
Aug  5 13:35:17 gatekeeper sshd[8902]: debug1: inetd sockets after
dupping: 3, 3
Aug  5 13:35:17 gatekeeper sshd[8902]: Connection from 192.168.1.194
port 1346
Aug  5 13:35:17 gatekeeper sshd[8902]: debug1: Client protocol version
2.0; client software version PuTTY_Release_0.60
Aug  5 13:35:17 gatekeeper sshd[8902]: debug1: no match: PuTTY_Release_0.60
Aug  5 13:35:17 gatekeeper sshd[8902]: debug1: Enabling compatibility
mode for protocol 2.0
Aug  5 13:35:17 gatekeeper sshd[8902]: debug1: Local version string
SSH-2.0-OpenSSH_4.6p1 Debian-4
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: temporarily_use_uid:
1000/100 (e=0/0)
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: trying public key file
/chrootusers/./home/keymaster/.ssh/authorized_keys
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: matching key found: file
/chrootusers/./home/keymaster/.ssh/authorized_keys, line 1
Aug  5 13:35:18 gatekeeper sshd[8902]: Found matching DSA key:
d0:80:6a:31:7e:44:1f:25:d7:d3:df:1f:8f:0e:3a:de
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: restore_uid: 0/0
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: temporarily_use_uid:
1000/100 (e=0/0)
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: trying public key file
/chrootusers/./home/keymaster/.ssh/authorized_keys
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: matching key found: file
/chrootusers/./home/keymaster/.ssh/authorized_keys, line 1
Aug  5 13:35:18 gatekeeper sshd[8902]: Found matching DSA key:
d0:80:6a:31:7e:44:1f:25:d7:d3:df:1f:8f:0e:3a:de
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: restore_uid: 0/0
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: ssh_dss_verify: signature
correct
Aug  5 13:35:18 gatekeeper sshd[8902]: Accepted publickey for keymaster
from 192.168.1.194 port 1346 ssh2
Aug  5 13:35:18 gatekeeper sshd[8902]: debug1: monitor_child_preauth:
keymaster has been authenticated by privileged process
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1: permanently_set_uid: 1000/100
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1: SELinux support disabled
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1: Entering interactive
session for SSH2.
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1: server_init_dispatch_20
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1:
server_input_channel_open: ctype session rchan 256 win 16384 max 16384
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1: input_session_request
Aug  5 13:35:18 gatekeeper sshd[8904]: debug1: channel 0: new
[server-session]
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_new: init
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_new: session 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_open: channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_open: session 0:
link with channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1:
server_input_channel_open: confirm session
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: server_input_channel_req:
channel 0 request x11-req reply 1
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_channel:
session 0 channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1:
session_input_channel_req: session 0 req x11-req
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: x11_create_display_inet:
Socket family 10 not supported
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: channel 1: new [X11 inet
listener]
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: server_input_channel_req:
channel 0 request address@hidden reply 1
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_channel:
session 0 channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1:
session_input_channel_req: session 0 req address@hidden
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: temporarily_use_uid:
1000/100 (e=1000/100)
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: restore_uid: (unprivileged)
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: channel 2: new [auth socket]
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: server_input_channel_req:
channel 0 request pty-req reply 1
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_channel:
session 0 channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1:
session_input_channel_req: session 0 req pty-req
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: Allocating pty.
Aug  5 13:35:19 gatekeeper sshd[8902]: debug1: session_new: init
Aug  5 13:35:19 gatekeeper sshd[8902]: debug1: session_new: session 0
Aug  5 13:35:19 gatekeeper sshd[8902]: debug1: SELinux support disabled
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_pty_req: session
0 alloc /dev/pts/3
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: server_input_channel_req:
channel 0 request exec reply 1
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_channel:
session 0 channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1:
session_input_channel_req: session 0 req exec
Aug  5 13:35:19 gatekeeper sshd[8905]: debug1: Setting controlling tty
using TIOCSCTTY.
Aug  5 13:35:19 wheezy sshd[8909]: debug1: rexec start in 4 out 4
newsock 4 pipe 6 sock 7
Aug  5 13:35:19 wheezy sshd[8827]: debug1: Forked child 8909.
Aug  5 13:35:19 wheezy sshd[8909]: debug1: inetd sockets after dupping: 3, 3
Aug  5 13:35:19 wheezy sshd[8909]: Connection from 192.168.4.85 port 38787
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: server_input_channel_req:
channel 0 request window-change reply 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_channel:
session 0 channel 0
Aug  5 13:35:19 wheezy sshd[8909]: debug1: Client protocol version 2.0;
client software version OpenSSH_4.6p1 Debian-4
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1:
session_input_channel_req: session 0 req window-change
Aug  5 13:35:19 wheezy sshd[8909]: debug1: match: OpenSSH_4.6p1 Debian-4
pat OpenSSH*
Aug  5 13:35:19 wheezy sshd[8909]: debug1: Enabling compatibility mode
for protocol 2.0
Aug  5 13:35:19 wheezy sshd[8909]: debug1: Local version string
SSH-2.0-OpenSSH_4.6p1 Debian-4
Aug  5 13:35:19 wheezy sshd[8909]: debug1: PAM: initializing for "root"
Aug  5 13:35:19 wheezy sshd[8909]: debug1: PAM: setting PAM_RHOST to
"gatekeeper.se.lemche.net"
Aug  5 13:35:19 wheezy sshd[8909]: debug1: PAM: setting PAM_TTY to "ssh"
Aug  5 13:35:19 wheezy sshd[8909]: debug1: do_cleanup
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: Received SIGCHLD.
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_pid: pid 8905
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_exit_message:
session 0 channel 0 pid 8905
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_exit_message:
release channel 0
Aug  5 13:35:19 gatekeeper sshd[8902]: debug1: session_by_tty: session 0
tty /dev/pts/3
Aug  5 13:35:19 gatekeeper sshd[8902]: debug1: session_pty_cleanup:
session 0 release /dev/pts/3
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_by_channel:
session 0 channel 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_close_by_channel:
channel 0 child 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_close_x11: detach
x11 channel 1
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: session_close: session 0
pid 0
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: channel 0: free:
server-session, nchannels 3
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: channel 1: free: X11 inet
listener, nchannels 2
Aug  5 13:35:19 gatekeeper sshd[8904]: Connection closed by 192.168.1.194
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: channel 2: free: auth
socket, nchannels 1
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: do_cleanup
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: temporarily_use_uid:
1000/100 (e=1000/100)
Aug  5 13:35:19 gatekeeper sshd[8904]: debug1: restore_uid: (unprivileged)
Aug  5 13:35:19 gatekeeper sshd[8904]: Closing connection to 192.168.1.194
[Prev in Thread]
Current Thread
[Next in Thread]
[Jailkit-users] ssh agent forwarding difficulties, Valdemar Lemche, 2007/08/05
- Re: [Jailkit-users] ssh agent forwarding difficulties, Valdemar Lemche <=
- Re: [Jailkit-users] ssh agent forwarding difficulties, Olivier Sessink, 2007/08/05
  - Re: [Jailkit-users] ssh agent forwarding difficulties, Valdemar Lemche, 2007/08/05
    - Re: [Jailkit-users] ssh agent forwarding difficulties, Olivier Sessink, 2007/08/06
    - Re: [Jailkit-users] ssh agent forwarding difficulties, Valdemar Lemche, 2007/08/06
    - Re: [Jailkit-users] ssh agent forwarding difficulties, Olivier Sessink, 2007/08/07
    - Re: [Jailkit-users] ssh agent forwarding difficulties, Valdemar Lemche, 2007/08/07
Prev by Date: [Jailkit-users] ssh agent forwarding difficulties
Next by Date: Re: [Jailkit-users] ssh agent forwarding difficulties
Previous by thread: [Jailkit-users] ssh agent forwarding difficulties
Next by thread: Re: [Jailkit-users] ssh agent forwarding difficulties
Index(es):
- Date
- Thread