Is there any way to disable the authentication agent globally? I'm not quite sure I understand it's purpose. Here is some background info: workstation: Key pair (dsa). host1: No key pair. No authorized_keys. host2: Has my workstation's key in authorized_keys. I ssh to host1 from my workstation. I ssh to host2 from host1. I am asked for a password. Good. I ssh to host2 from my workstation. I am logged in via pubkey auth. I relogin to host2 from host1. I am not asked for a password. Why? It doesn't sit well with me when a host allows me to login without a pass- word, when I haven't configured it that way (I realize it may be OK, but still...) host1:~$ ssh -vvv host2 OpenSSH_3.0.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to host2 [] port 22. debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/rjmooney/.ssh/identity type -1 debug1: identity file /home/rjmooney/.ssh/id_rsa type -1 debug1: identity file /home/rjmooney/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.0.2 debug1: match: OpenSSH_3.0.2 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.0.2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 1614/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'host2' is known and matches the RSA host key. debug1: Found key in /home/rjmooney/.ssh/known_hosts:1 debug1: bits set: 1616/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key "Robert Mooney at workstation" debug1: input_userauth_pk_ok: pkalg ssh-dss blen 819 lastkey 0x490a0 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 Last login: Fri Feb 1 22:31:04 2002 from host1 host2:~$ - Rob -- Robert Mooney (rjmooney at aboveground.cx) www: http://www.aboveground.cx/~rjmooney/
On Fri, Feb 01, 2002 at 11:33:40PM -0500, Robert Mooney wrote:> > Is there any way to disable the authentication agent globally? I'm not > quite sure I understand it's purpose. Here is some background info: > > workstation: Key pair (dsa). > host1: No key pair. No authorized_keys. > host2: Has my workstation's key in authorized_keys. > > I ssh to host1 from my workstation. > I ssh to host2 from host1. I am asked for a password. Good. > I ssh to host2 from my workstation. I am logged in via pubkey auth. > I relogin to host2 from host1. I am not asked for a password. Why?host1 has not authorized_keys and you are not asked for a password? then you probably have a password-less account. this has nothing to do with the 'authentication agent'.
On 2002-02-03, "Robert Mooney" <rjmooney at aboveground.cx> wrote:> If I log in to host1 from workstation w/ password auth, and > I log in to host2 from workstation w/ DSA public key auth, and...Using ssh-agent on workstation for this connection?> I try to ssh from host1 to host2, host2 allows me to login w/o a > password.> Why?Perhaps because you have agent-forwarding turned on when ssh'ing from workstation to host1? Even though you are logging in to host1 w/a password, that ssh session has access to your agent. Test this by doing an 'ssh-add -l' on host1 after logging in to it. If this is it, adding 'AgentForwarding no' to $etc/ssh_config or ~/.ssh/config (either for all hosts, or just for host1) and it should stop. IIRC that is the default nowadays though, so perhaps this is not the problem...> Is there any way to disable the authentication agent in the server > config?You mean in host1's sshd_config file, correct? I do not believe so. There is arguably room for an sshd_config option for this (after all there's options to control other kinds of forwarding), but it's not something one usually sees unless one is using pubkey auth in the first place, which you are not when you log into host1. To be clear: it's the intermediate host for which such a setting matters. There is no way for a destination host to tell the difference between an agent-forwarded pubkey auth and a direct pubkey auth, provided the host the connection comes from is permitted by any from="" entry in the authorized_keys file. This is unfortunate. -- Hank Leininger <hlein at progressive-comp.com>