How to Fix Multi-Hop SSH Forward Agent Issue

Tags: April 25, 2016 11:41 AM

Problem

You want to connect to the 3rd SSH machine but using the key from the 1st hop not from your local machine. Here is the diagram:
+-----------------------+
|  Local Machine (LM)   |
+-----------------------+
            |
            |
+-------------------------+
|  Remote Machine 1 (RM1) | -> 1st Hop
+--------------------------+
            |
            |
+-------------------------+
|  Remote Machine 2 (RM2) | -> 2nd Hop  
+-------------------------+
            |
            |
+-------------------------+
|  Remote Machine 3 (RM3) | -> 3rd Hop
+-------------------------+
Commands listed below shown what issue we had with the forward agent.
user@local-machine~$ ssh -A remote-machine-1

user@remote-machine-1~$ ssh -A remote-machine-2
(Permission denied)
The authentication was fail because RM2 expect key from RM1 but which ssh agent sent was key from Local Machine.

Solution

The solution to fix multi-hop ssh forward agent above is to specify private key need to be used by the agent on Remote Machine 1 not from Local Machine. So commands below need to be issued on the Remote Machine 1.
user@local-machine~$ ssh remote-machine-1

user@remote-machine-1~$ eval $( ssh-agent -s )
user@remote-machine-1~$ ssh-add ~/.ssh/id_rsa
user@remote-machine-1~$ ssh -A remote-machine-2

user@remote-machine-2~$ ssh -A remote-machine-3
user@remote-machine-3~$
Why eval needed on ssh-agent command above is because ssh agent read from environment variable to determine the socket name and PID which store the authentication information. Eval is used to set all those environment variables. If you run ssh-agent without eval what you got on screen is list of environment variable used by the agent.
user@remote-machine-1~$ ssh-agent -s
SSH_AUTH_SOCK=/tmp/ssh-k4hqfIoKDQjg/agent.21310; export SSH_AUTH_SOCK;
SSH_AGENT_PID=21311; export SSH_AGENT_PID;
echo Agent pid 21311;
As you can see it is a valid shell commands which can be interpreted by eval.

References

Share on Facebook Twitter

0 comments:

Post a Comment