SSH forwarding

Support for security such as Firewalls and securing linux
Post Reply
palouis
Posts: 3
Joined: 2009/07/14 04:58:09

SSH forwarding

Post by palouis » 2021/05/09 06:16:04

Hi,
I am confused (not that abnormal for me), I just configured a new server instance of Cnetos 8 to replace existing Centos 6.10 host via a migration.

On the old host I could ssh into the system and then issue sudo -I and be authenticated as root without needing to supply a password.

I cannot get the same to work on the Centos 8 system.

Ive tried ssh-add -A etc but when I am logged into new system and enter ssh-add -l no identities are found.

Ive put identies in ~/.ssh/config - no use.

Can any pit me out of my misery with a simple example of what Ishould be doing? am I missing something?

Thanks and regards

Paul

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH forwarding

Post by jlehtone » 2021/05/09 08:58:07

Looks like two issues.

The ssh agent forwarding makes the ssh connection forward queries made to ssh-agent in the remote host into agent in the local host.
You would enable forwarding with option -A (ForwardAgent yes) of ssh.
You naturally have to have ssh-agent running in the local host and keys loaded to that agent.

The sudo is separate. It is possible to configure sudo to not require password. That is obviously risky.
With package pam_ssh_agent_auth and some config the sudo queries ssh-agent. That has the risks of agent forwarding.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH forwarding

Post by TrevorH » 2021/05/09 11:58:36

I just configured a new server instance of Cnetos 8 to replace existing Centos 6.10 host via a migration.
Out of the fireplace, into the fire...

CentOS Linux 8 will go EOL on 31 Dec, 2021 -- in 33 weeks, 4 days
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply