openssh unix dev - May 2004 - Oddness with agent forwarding and -i

Hey everyone,

I hope this isn't an old issue; I wasn't able to
locate it in the archives.

I have a number of scripts which make use of ssh -i
and scp -i, where the target host has the specified
key in its authorized_keys file with a commandoverride to do immediate
processing of the received
data.  This works extremely well, as we are able to
establish single-function, triggered-action RSA keys
to toss data from host to host.

Unfortunately, when invoked with a forwarding agent
present, the agent gets to pass its key(s) before the
key presented on the command line, which causes all
the magic to break.  I've tried echoing the debug
output, and it confirms that the agent does indeed get
first crack at authenticating the connection.

Is this expected behaviour, or should the presence of
-i on the command line take precedence over the agent?

Cheers,
-Thomas


	
		
__________________________________
Do you Yahoo!?
Yahoo! Movies - Buy advance tickets for 'Shrek 2'
http://movies.yahoo.com/showtimes/movie?mid=1808405861

Thomas Baden wrote:
> I have a number of scripts which make use of ssh -i
> and scp -i, where the target host has the specified
> key in its authorized_keys file with a command> override to do immediate
processing of the received
> data.  This works extremely well, as we are able to
> establish single-function, triggered-action RSA keys
> to toss data from host to host.
> 
> Unfortunately, when invoked with a forwarding agent
> present, the agent gets to pass its key(s) before the
> key presented on the command line, which causes all
> the magic to break.  I've tried echoing the debug
> output, and it confirms that the agent does indeed get
> first crack at authenticating the connection.
I can't comment on whether this is really intended behavior, but you can
easily
work around it by unsetting SSH_AUTH_SOCK before you run ssh:

SSH_AUTH_SOCK= ssh -i foo...

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>

Thomas Baden wrote:
> Is this expected behaviour, or should the presence of
> -i on the command line take precedence over the agent?
You can use the IdentitiesOnly option (on the commandline or
in ssh_config) to ignore keys from the agent.

-d

Did you test OpenSSH 3.8.1x ssh flag IdentitiesOnly ?
Please see ssh_config(5) man page for the option IdentitiesOnly.

Sample ~/.ssh/config:
======================================Host host1
        IdentitiesOnly yes
        IdentityFile ~/.ssh/id1

Host host2
        IdentitiesOnly yes
        IdentityFile ~/.ssh/id2
======================================Note with config lake above you can skip
-i flag.


For versions before 3.8.1x I suggest workaround:
1.) for one ssh command in interactive mode as example:
$ ssh-agent scp -i ...

2.) for many ssh commands start new shell in interactive mode as follow:
$ ssh-agent /bin/sh
... enter commands
...
$ CTRL+D

3.) if you use shell script run it as follow:
$ ssh-agent myscript.sh


Enjoy ;-)


Thomas Baden wrote:
>Hey everyone,
>
>I hope this isn't an old issue; I wasn't able to
>locate it in the archives.
>
>I have a number of scripts which make use of ssh -i
>and scp -i, where the target host has the specified
>key in its authorized_keys file with a command>override to do immediate
processing of the received
>data.  This works extremely well, as we are able to
>establish single-function, triggered-action RSA keys
>to toss data from host to host.
>
>Unfortunately, when invoked with a forwarding agent
>present, the agent gets to pass its key(s) before the
>key presented on the command line, which causes all
>the magic to break.  I've tried echoing the debug
>output, and it confirms that the agent does indeed get
>first crack at authenticating the connection.
>
>Is this expected behaviour, or should the presence of
>-i on the command line take precedence over the agent?
>
>Cheers,
>-Thomas
>  
>