manage authentications for ssh
12 02 2023
# Start SSH Agent
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-QiBK03s2faxa/agent.3369; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9866; export SSH_AGENT_PID;
echo Agent pid 9866;
# Export SSH_AUTH_SOCK & SSH_AGENT_PID
$ SSH_AUTH_SOCK=/tmp/ssh-QiBK03s2faxa/agent.3369; export SSH_AUTH_SOCK;
$ SSH_AGENT_PID=9866; export SSH_AGENT_PID;
# List Identities
$ ssh-add -L
The agent has no identities.
# Add Identity
$ ssh-add .ssh/id_ed25519_user
Enter passphrase for .ssh/id_ed25519:
Identity added: .ssh/id_ed25519 (someuser@somehost)
# List Identities
$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB35GXSghCQL9rLimIxMegUA5WV61tVNvuqTlL8ViljE someuser@somehost# PRESENTING CODE
# Connect to remote host
$ ssh -A -v localhost
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: someuser@somehost ED25519 SHA256:vKcy/yrWzlfpvrmO809K1JZieoylv4t3/hHFDxsa6bc agent
debug1: Server accepts key: someuser@somehost ED25519 SHA256:vKcy/yrWzlfpvrmO809K1JZieoylv4t3/hHFDxsa6bc agent
Authenticated to localhost ([127.0.0.1]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/hansli/.ssh/known_hosts for localhost / (none)
debug1: client_input_hostkeys: searching /home/hansli/.ssh/known_hosts2 for localhost / (none)
debug1: client_input_hostkeys: hostkeys file /home/hansli/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Remote: /home/hansli/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/hansli/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Requesting authentication agent forwarding.
Last login: Sun Feb 12 17:35:22 2023 from 127.0.0.1# PRESENTING CODE
# Check Env Variable
$ env |grep SSH |sort
SSH_AUTH_SOCK=/tmp/ssh-grF3adN7qr/agent.91951
SSH_CLIENT=127.0.0.1 36206 22
SSH_CONNECTION=127.0.0.1 36206 127.0.0.1 22
SSH_TTY=/dev/ttyp1
# Check SUID Bit
$ ls -la /tmp/ssh-grF3adN7qr/agent.91951
srwxr-xr-x 1 user group 0 Feb 12 17:35 /tmp/ssh-grF3adN7qr/agent.91951
$ w
5:51PM up 6 days, 20:45, 2 users, load averages: 0.01, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
stoege p0 192.168.108.100 5:28PM 0 ssh -A localhost -v
user p1 127.0.0.1 5:35PM 0 w# PRESENTING CODE
$ ssh -A localhost
$ w
5:53PM up 6 days, 20:47, 3 users, load averages: 0.14, 0.05, 0.01
USER TTY FROM LOGIN@ IDLE WHAT
stoege p0 192.168.108.100 5:28PM 0 ssh -A localhost
user p1 127.0.0.1 5:52PM 0 ssh -A localhost
user p2 127.0.0.1 5:53PM 0 w
$ ssh -A localhost
$ w
5:53PM up 6 days, 20:48, 4 users, load averages: 0.16, 0.06, 0.01
USER TTY FROM LOGIN@ IDLE WHAT
stoege p0 192.168.108.100 5:28PM 0 ssh -A localhost
user p1 127.0.0.1 5:52PM 0 ssh -A localhost
user p2 127.0.0.1 5:53PM 0 ssh -A localhost
user p3 127.0.0.1 5:53PM 0 w # PRESENTING CODE
does not make sense, but confirms that ssh forwarding (-A) is working ...
$ w
5:57PM up 6 days, 20:51, 2 users, load averages: 0.04, 0.04, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
stoege p0 192.168.108.100 5:28PM 0 ssh -A localhost
user p1 127.0.0.1 5:52PM 0 w
$ ssh localhost
$ w
5:57PM up 6 days, 20:51, 3 users, load averages: 0.12, 0.06, 0.01
USER TTY FROM LOGIN@ IDLE WHAT
stoege p0 192.168.108.100 5:28PM 0 ssh -A localhost
user p1 127.0.0.1 5:52PM 0 ssh localhost
user p2 127.0.0.1 5:57PM 0 w
$ ssh localhost
userlocalhost: Permission denied (publickey,keyboard-interactive).
$ env |grep SSH |sort
SSH_CLIENT=127.0.0.1 13423 22
SSH_CONNECTION=127.0.0.1 13423 127.0.0.1 22
SSH_TTY=/dev/ttyp2# PRESENTING CODE
no AUTH_SSH_SOCKET Variable ...
or check my blog ...
https://blog.stoege.net
twitter: @stoege
mastodon: @stoege@bsd.network