SSH agent forwarding and GNU screen

I'm an avid user of both gateway-based SSH and GNU screen.

By gateway-based SSH, I mean first SSHing to one machine and then from there getting access to the machine I was looking for, as a security measure or just because the machine in question has no external IP address.

This, up until now, has never worked for me when using OpenSSH's excellent agent forwarding.

Agent forwarding is what it sounds like - your SSH agent (the one that keeps your unlocked SSH keys in memory) gets forwarded to another machine. This is enabled with the -A option to OpenSSH.

Commonly, I'd get an issue like this:

laptop $ ssh -At gateway ssh -A svett
svett $ screen -r
svett $ svn up
Password:

I mean, who the hell uses passwords these days anyway? So, on to the solution. It's quite simple, actually.

OpenSSH's forwarding is pretty simple, and the reason it doesn't work in the above case is that the screen session was started with another SSH agent tunnel, which is now dead. How do we fix it? Simple. Just fix your environment.

laptop $ ssh -At gateway ssh -A svett
svett $ echo $SSH_AUTH_SOCK
/tmp/ssh-abcdef/agent.1234
svett $ screen -r
svett $ export SSH_AUTH_SOCK=/tmp/ssh-abcdef/agent.1234
svett $ svn up
At revision 1234.

And that's all there is to it. You could even set up aliases for this if you do it often enough, but then again then you'll be dependent on that alias on every machine you use, so...

Save on Delicious delicious.com
2010-01-11 @ 19:12:57 jag gillar min data Permalink

Comments
Posted by: ΤΖΩΤΖΙΟΥ §

For the even more lazy people:

all your bash shells (mainly those under screen) should have:

$ trap ". ~/tmp/agent" USR2

(in case you also use ash/dash, change that signal into USR1)

In your .profile, add something along the lines:

if [ -z "$STY" -a -n "$SSHAUTHSOCK" -a "$SHLVL" -eq 1 ]
then
echo -n reset ssh agent\?\
read reply
if [ "$reply" = y ]
then
echo saving SSH authentication data
echo "[ -n \"\$STY\" ] && screen -X setenv SSHAUTHSOCK $SSHAUTHSOCK" >~/tmp/agent
echo "export SSHAUTHSOCK=$SSHAUTHSOCK" >>~/tmp/agent
echo "echo reconfigured" >>~/tmp/agent
exec bin/screen_reconnect
fi
fi

and screen_reconnect is a python script that, among other things, does:

subprocess.call( ("/usr/bin/killall", '-s', 'USR2', 'bash') )
… find the running session
os.execl("/usr/bin/screen", "screen", "-A", "-a", "-U", "-D", "-r", session)

2010-01-13 @ 15:55:18
URL: http://tzotzioy.blogspot.com

Comment the entry:

Name: (required, possibly pseudonym)
Remember me (cookie)

E-mail: (not required, never published, solely for me to reply to you in person)

URL:

Comment:

Categories
Archive
RSS 2.0