[Trilug-ontopic] ssh tunnel works, but ssh-agent tunnel does not?

Tom Roche Tom_Roche at pobox.com
Mon Feb 6 20:17:01 EST 2012 

summary: 

A == my laptop, I can sudo
G == gateway, cannot sudo
R == remote cluster, cannot sudo

ssh-ing A -> G -> R:
A -> G works password-less (keys properly configured)
G -> R works password-less (keys properly configured)
A -> R demands password (thought I had tunnel, keys properly configured)

What am I doing wrong? or what do I need admin help to configure?

details:

A is debian. On A, my id=lord and I have root.
G is RHEL5.  On G, my id=serf and I am a user.
R is RHEL5.  On R, my id=serf and I am a user.
R can only be reached via G.
G and R are inside a firewall and can only be reached from a LAN.

I have previously setup RSA keys and .ssh/config (more on port=10230
below) such that I can, without password,

lord at A:~$ ssh G
splash ...
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 10230
Could not request local forwarding.
Last login: ...
splash again...
serf at G:~ $ ssh R
Last login: ...
serf at R:~ $ exit

R:~/.ssh/authorized_keys contains only
> ssh-rsa ... serf at G.f.q.d.n

Do I need something in R:~/.ssh/config? I don't presently have one.

G:~/.ssh/authorized_keys contains
> ssh-rsa ... me at xpBoxImustOccasionallyUse
> ssh-rsa ... serf at G.f.q.d.n
> ssh-rsa ... peon at Z.f.q.d.n

G:~/.ssh/config includes
> Host *
>      # default=3
>      ServerAliveCountMax 4
>      # default=0
>      ServerAliveInterval 15
>
> Host R.f.q.d.n
>      HostName R.f.q.d.n
>      Port 22
>      User serf
>      ForwardX11Trusted yes
>
> Host R
>      HostName R.f.q.d.n
>      Port 22
>      User serf
>      ForwardX11Trusted yes

Does G:~/.ssh/config need tweaked to support ssh-agent tunneling?

A:~/.ssh/config has
> Host *
>      # default=3
>      ServerAliveCountMax 4
>      # default=0
>      ServerAliveInterval 15
>
> Host G.f.q.d.n
>      HostName G.f.q.d.n
>      Port 22
>      User serf
>      ForwardX11 yes
>      ForwardX11Trusted yes
>      LocalForward localhost:10230 R.f.q.d.n:22
>
> Host G
>      HostName G.f.q.d.n
>      Port 22
>      User serf
>      ForwardX11 yes
>      ForwardX11Trusted yes
>      LocalForward localhost:10230 R.f.q.d.n:22
>
> Host R.f.q.d.n
>      HostName localhost
>      Port 10230
>      User serf
>      ForwardX11 yes
>      ForwardX11Trusted yes
>
> Host R
>      HostName localhost
>      Port 10230
>      User serf
>      ForwardX11 yes
>      ForwardX11Trusted yes

A:~/bin/A_ssh_R.sh has
> #!/usr/bin/env bash
> LOCAL_PORT="10230"
> REMOTE_PORT="22"
> GATEWAY_HOST="G.f.q.d.n"
> GATEWAY_ID="serf"
> DESTINATION_HOST="R.f.q.d.n"
> DESTINATION_ID="serf"
> TUNNEL_SETUP_CMD="ssh -N -f ${GATEWAY_ID}@${GATEWAY_HOST} -L ${LOCAL_PORT}:${DESTINATION_HOST}:${REMOTE_PORT}"
> TUNNEL_USE_CMD="ssh -l ${DESTINATION_ID} -p ${LOCAL_PORT} localhost"
>
> for CMD in "${TUNNEL_SETUP_CMD}" "${TUNNEL_USE_CMD}" ; do
>   echo -e "$ ${CMD}"
>   eval "${CMD}"
> done

When I run A_ssh_R.sh, I get
> $ ssh -N -f serf at G.f.q.d.n -L 10230:R.f.q.d.n:22
splash ...
> bind: Address already in use
> channel_setup_fwd_listener: cannot listen to port: 10230
> bind: Address already in use
> channel_setup_fwd_listener: cannot listen to port: 10230
> Could not request local forwarding.
> $ ssh -l serf -p 10230 localhost
> serf at localhost's password: ****************TYPED HERE****************
> Last login: Mon Feb  6 18:00:04 2012 from Gf
> serf at Rmaster:~ $ exit

So the ssh tunnel works, but the ssh-agent tunnel does not (no?)

What must I do to allow password-less ssh/scp A -> R?

TIA, Tom Roche <Tom_Roche at pobox.com>

More information about the Trilug-ontopic mailing list