即使使用`ssh -A`，SSH代理转发也不起作用

Question

首先，我检查了以下所有内容

• 代理转发不起作用
• ssh-agent 转发需要额外配置吗？
• SSH 代理转发不起作用
• https://serverfault.com/questions/404447/why-is-ssh-agent-forwarding-not-working
• https://apple.stackexchange.com/questions/37184/ssh-a-doesnt-properly-enable-forwarding-of-authentication-agent-connection

但他们都没有帮助。所以，这是我的问题：

我可以从 A 到 B，或从 A 到 C，但不能从 A 到 B，然后从 B 到 C。当从 A 连接到 B 或 C 时，我总是使用ssh -A强制 SSH 代理转发。
但是为什么我仍然无法在A -> B -> C没有被要求输入密码的情况下进行连接？

更新：近三年后，同样的问题仍然困扰着我，但现在我已经缩小了问题的范围：

症状：我可以 ssh A -> B, or A -> C，但不能A -> B -> C, or A -> C -> B。

该主题准确描述了该问题 - SSH 代理转发不起作用。

从

解决 SSH 问题
https://confluence.atlassian.com/bitbucket/troubleshoot-ssh-issues-271943403.html

它说：

要列出您加载的密钥，请输入ssh-add -l。如果您没有看到要使用的 SSH 密钥...

那么就有问题了——您要使用的 SSH 密钥未加载。

这就是我在A -> B或时发生的情况A -> C。即，在我ssh -A进入中间服务器之后。SSH 密钥丢失、未转发且未加载。

$ ssh-add -l
The agent has no identities.

这就是为什么我不能在没有密码的情况下进一步 ssh 的原因。

它确实有SSH_AUTH_SOCK变量设置和几个ssh-agent：

$ echo "$SSH_AUTH_SOCK"
/tmp/ssh-RtEuLOmFDBet/agent.3722

$ ps -e  | grep [s]sh-agent
 3723 ?        00:00:00 ssh-agent
 4613 ?        00:00:00 ssh-agent

它似乎与我自己的环境无关，因为它们是相同的，或者/etc/ssh/sshd_config文件，因为我已经比较了来自正在工作或不工作的中间服务器的那些。

更新结束。

更多信息：所有三台机器都配置了标准的 Ubuntu ssh 配置。即，该AllowAgentForwarding选项不在 中/etc/ssh/sshd_config，尽管我怀疑它是否应该，因为我看到“由于代理转发默认开启，从 sshd_config 中删除任何 AllowAgentForwarding 行应该就足够了。” 来自ssh-agent 转发所需的额外配置？.

有人说ssh-add会做，但是当我在 B 或 C 上做时，它要求我对Enter passphrase for我的.ssh/id_rsa. 有人说检查SSH_AUTH_SOCK，但我确实在 B 或 C 上有它（从 A 到 B，或从 A 到 C）：

$ env | grep SSH_AUTH_SOCK
SSH_AUTH_SOCK=/tmp/ssh-RTScJ5PZh9Mh/agent.2083

代理转发是否因为缺少AllowAgentForwarding选项而无法工作？那么我应该把它放在哪一个（A、B 或 C）中？还ssh -A不够吗？另外我 .ssh/id_rsa在 B 和 C 上都有文件，这是ssh-add为他们要求密码的原因吗？

编辑：

这是-Avvv从B到C的日志：

OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/myid/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to boxc.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/myid/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/myid/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/myid/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/myid/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/myid/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/myid/.ssh/id_dsa-cert type -1
debug1: identity file /home/myid/.ssh/id_ecdsa type -1
debug1: identity file /home/myid/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6
debug1: match: OpenSSH_6.2p2 Ubuntu-6 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: boxc
debug3: load_hostkeys: loading entries for host "boxc" from file "/home/myid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myid/.ssh/known_hosts:15
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com zlib@openssh.com
debug2: mac_setup: found hmac-md5-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com zlib@openssh.com
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA ed:26:20:93:4c:88:ef:17:70:e3:d4:7a:42:4c:8e:69
debug3: put_host_port: [192.168.2.122]:21
debug3: put_host_port: boxc
debug3: load_hostkeys: loading entries for host "boxc" from file "/home/myid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myid/.ssh/known_hosts:15
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries from file "/home/myid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myid/.ssh/known_hosts:16
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'boxc' is known and matches the RSA host key.
debug1: Found key in /home/myid/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/myid/.ssh/id_rsa (0x7f7e....e760),
debug2: key: /home/myid/.ssh/id_dsa (0x7f7e....e7a0),
debug2: key: /home/myid/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myid/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp 22:32:...:1d:e3
debug3: sign_and_send_pubkey: RSA 22:32:...:1d:e3
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/myid/.ssh/id_rsa': 

我与我的好会话 (A->C) 进行了比较，发现除了最后 3 行以“ key_parse_private_pem: PEM_read_PrivateKey failed”开头之外，其他都没有什么不同。好的会话反而有：

debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to boxc

其他一切都一样。

再次，我的环境：

$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:6.2p2-6ubuntu0.1
  Candidate: 1:6.2p2-6ubuntu0.4
  Version table:
     1:6.2p2-6ubuntu0.4 0
        500 http://archive.ubuntu.com/ubuntu/ saucy-updates/main amd64 Packages
     1:6.2p2-6ubuntu0.3 0
        500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages

% sshd -v
sshd: illegal option -- v
OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013

谢谢

Answer 1

近七年来，我一直试图解决这个问题，最后它得到了解决——我启动keychain了我~/.profile的 ' ssh-agent'，即使在机器 B 和 C 上也是如此。这就是问题的根源，因为keychain' sssh-agent盖过了sshd提供的那个。

keychain从我的删除它（）~/.profile解决了这个问题。

更新、另一种可能性ssh-agent等通常作为在本地系统上启动GUI 的一部分开始。例如，在另一种情况下，调用隐藏在/etc/X11/xdm/sys.xsession!

我确认我的 SSH 代理转发在 MachineA 中工作，

ssh -t MachineB ssh MachineC

就在ssh MachineB那时，它ssh MachineC正在失败。

从现在开始，我将仅从机器 A 手动启动它（ssh-agent从keychain等）。