2

There are a good number of answers out there on ssh agent forwarding, but I couldn't seem to find one that addresses my issue.

I am using packer.io to automate the provisioning of my servers. One of the builders I am using is the virtualbox-iso builder to allow me to create a Vagrant box for local testing.

My host machine is a Macbook Pro which I have added two ssh keys to ssh-agent with a command like: ssh-add -K ~/.ssh/id_rsa. I can verify they both exist with ssh-add -l and ssh-add -L.

One of the keys is my work bitbucket account and the other is my personal account. I would like to specifically target the work account on this particular VM. On my Host I created a config under ~/.ssh/config with the following contents:

Host work.bitbucket.org
  User workuser
  ForwardAgent yes
  IdentitiesOnly yes
  IdentityFile ~/.ssh/id_rsa

Host bitbucket.org
  User homeuser
  ForwardAgent yes
  IdentitiesOnly yes
  IdentityFile ~/.ssh/id_rsa_personal

I could then log in on my Host with my work key via: ssh -T git@work.bitbucket.org and my home key with ssh -T git@bitbucket.org.

Now for the VM...

Following instructions I had found from other answers I had added config.ssh.forward_agent = true to my Vagrantfile.

I also do the following in one of my provisioning scripts:

echo "updating known_hosts folder"
ssh-keyscan work.bitbucket.org >> ~/.ssh/known_hosts

echo "adding bitbucket key from file"
sudo cat /input/rsa.txt >> ~/.ssh/authorized_keys

The first command allows me to avoid any future prompts to add the key to my known_hosts file. The second command simply appends my work rsa key from a file that was uploaded in a previous step.

This seems to get my agent forwarding working on my VM to some degree, however, it always chooses the first entry in my ssh-agent.

If I try either: ssh -T git@work.bitbucket.org or ssh -T git@bitbucket.org I always get the first key listed in ssh-add -l. (I actually verified this by adding and removing keys to manipulate the order)

I assumed this was due to the fact that I am already in an ssh session while I am on the box. So I looked at this question to verify how vagrant ssh actually works. I tried to manipulate my Host machines config file with 127.0.0.1:PORT where PORT was the specific port my machine is on. I also tried adding a wild card config on my VM to allow the hop, but I had obviously not set something up correctly as it still doesn't work as expected.

For now I can just manually remove (ssh-add -d pathtokeytoremovehere) the extra keys and add them back when I need them, but this is obviously not ideal.

Any ideas?

Matthew Sanders
  • 4,875
  • 26
  • 45

2 Answers2

1

You are forwarding the ssh-agent, but not the local configuration which is responsible for selecting the correct key for you. To make it working, you will also have to copy the configuration to the server.

But do not copy there the private keys. Referencing the public keys should do the job, since they will allow ssh to try that key and pick the correct one from the ssh-agent.

Jakuje
  • 24,773
  • 12
  • 69
  • 75
  • Can you be more specific on what I need to copy to the VM (server)? Are you saying I need to copy the Host ~/.ssh/config to the VM? Do I also need to copy the public key? – Matthew Sanders Jun 28 '17 at 15:14
  • Yes. The configuration file and the public keys (`~/.ssh/id_rsa.pub` and `~/.ssh/id_rsa_personal.pub`). – Jakuje Jun 28 '17 at 15:16
  • I'll give that a shot today. Thanks for the info! I guess I was thinking that seemed like redundant information. I could have sworn I read people were able to configure this sort of thing with hops through intermediate servers and I assumed they didn't upload keys to all the machines involved. I'll comment on or accept this answer after I try this out. – Matthew Sanders Jun 28 '17 at 15:21
  • You can do the hops that way (`ProxyCommand`, `ProxyJump`), but if you want to use that key on the other server, the configuration needs to be there too. – Jakuje Jun 28 '17 at 15:23
  • That makes sense... So just to clarify I still need to copy the .pub files even though I already added the public key on the server that I copied on the Host `pbcopy < ~/.ssh/id_rsa.pub` to the VM's ~/.ssh/authorized_keys? Or is that step not required if I copy the .pub? Thanks again! – Matthew Sanders Jun 28 '17 at 15:36
  • Yes. The `authorized_keys` are for accessing the server, but you still need them as an reference for the "authentication" keys from that server. – Jakuje Jun 28 '17 at 15:38
  • 1
    That worked! I added the .pub keys on the server and included the same config as well. Now I can switch between both and didn't require uploading the private key. Thanks! – Matthew Sanders Jun 28 '17 at 19:31
0

It turns out my key was not in the agent, and this fixed it:

OS X:

ssh-add -K Linux/Unix:

ssh-add -k You can list loaded keys using:

ssh-add -l

ssh-add -L # for more detail

llioor
  • 5,804
  • 4
  • 36
  • 44