Anne,
Thanks for the suggestion. I always forget about easy things like debug
On OpenSSH, (I'm running openssh 2.3.0 p1) it's '-v'
I do have DSA authentication enabled on all machines. Before they were
moved into their current configuration (with system2 now 'behind'
system1), I was able to ssh to both system and DSA authenticate. Of
course, in that case, the agent isn't forwarding, but talking directly to
sshd on the particular machine.
(My apologies to the list for the following debug output. I've clipped
things I don't think are important to the discussion.)
Here's how it works now:
[def@laptop def]$ ssh -v system1
debug: Reading configuration data /home/def/.ssh/config
debug: Applying options for *
debug: Reading configuration data /etc/ssh/ssh_config
debug: Seeding random number generator
...
debug: Host 'system1' is known and matches the DSA host key.
...
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: trying DSA agent key /home/def/.ssh/id_dsa
debug: ssh-userauth2 successfull
...
[def@system1 def]$ ssh -v system2
debug: Reading configuration data /etc/ssh/ssh_config
debug: Seeding random number generator
...
debug: Host 'system2' is known and matches the DSA host key.
...
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: next auth method to try is publickey
debug: key does not exist: /home/def/.ssh/id_dsa
debug: next auth method to try is password
def@web2's password:
--
Don Faulkner, KB5WPM |
| "All that is gold does not glitter."
( This space unintentionally | "not all those who wander are lost."
left blank ) | --J.R.R. Tolkien
On Tue, 13 Feb 2001 [EMAIL PROTECTED] wrote:
> Hi Don,
>
> Here's some thoughts on this. Do you have public key authentication defined on the
>server side?
>
> Run your clinet and server in debug mode (I think it's -D with OpenSSH) and see what
>that tells you when you try to connect.
>
> -Anne
>
>
> On Tue, Feb 13, 2001 at 11:19:02AM -0800, Don Faulkner wrote:
> > First time I've tried this, so I'm probably really confused.
> >
> > I've had ssh-agent working on my laptop for some time. Now, I want to ssh
> > to system1, and from my shell on system1, ssh to system2.
> >
> > So I do
> > laptop$ eval `ssh-agent`
> > laptop$ ssh-add $HOME/.ssh/id_dsa
> > laptop$ ssh system1
> >
> > system1$ ssh system2
> > enter password for user@system2:
> >
> > What am I doing wrong here? Do I need to start an ssh-agent as part of my
> > logon process in system1? or is there something else going on?
> >
> > --
> > Don Faulkner, KB5WPM |
> > | "All that is gold does not glitter."
> > ( This space unintentionally | "not all those who wander are lost."
> > left blank ) | --J.R.R. Tolkien
> >
> >
> ------------------------------------------------------------------------
> Anne Carasik | An unsophisticated forecaster uses
> Principal Security Consultant | statistics as a drunken man uses
> SSH Communications Security, Inc. | lamp-posts - for support rather than
> Email: [EMAIL PROTECTED] | for illumination. -Andrew Lang
> ------------------------------------------------------------------------
> Unless stated otherwise above, the opinions expressed herein are my own,
> not of my employer.
>
