Agaric Design Collective

SSH agent forwarding on Mac OS X debugging

By Benjamin Melançon
on 15 Jun
0 comments

Key words and phrases

ssh agent refresh ssh

Tags

Description

ssh -v agaric-production

OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /Users/ben/.ssh/config
debug1: Applying options for agaric-production
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to agaricdesign.com [66.135.37.243] port 22.
debug1: Connection established.
debug1: identity file /home/ben/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-cbc hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'agaricdesign.com' is known and matches the RSA host key.
debug1: Found key in /Users/ben/.ssh/known_hosts:33
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ben/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Tried changing back to RSA:

Ebony-II:.ssh ben$ vi config

Ebony-II:.ssh ben$ ssh -v agaric-production
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /Users/ben/.ssh/config
debug1: Applying options for agaric-production
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to agaricdesign.com [66.135.37.243] port 22.
debug1: Connection established.
debug1: identity file /home/ben/.ssh/id_rsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-cbc hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'agaricdesign.com' is known and matches the RSA host key.
debug1: Found key in /Users/ben/.ssh/known_hosts:33
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ben/.ssh/id_rsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Following a model script for Debian on Mac OS X can cause problems-- there is no /home/username on Mac, it's /Users/username.

ben@server:/var/www$ ssh-add -l
debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
debug1: channel 1: new [authentication agent connection]
debug1: confirm auth-agent@openssh.com
The agent has no identities.
debug1: channel 1: FORCE input drain
ben@server:/var/www$ debug1: channel 1: free: authentication agent connection, nchannels 2

stefan-agaric: Ben. on macosx your home directory is not /home/ben, is it?
[11:24am] benjamin-agaric: oy bloody vey
[11:24am] stefan-agaric: debugging helps.
[11:25am] stefan-agaric: without that output I woudl not have guessed it.
[11:25am] benjamin-agaric: $ pwd
[11:25am] benjamin-agaric: gives: /Users/ben/.ssh
[11:26am] benjamin-agaric: I should set up bash to give the full path at all times
[11:26am] benjamin-agaric: i totally forgot that. Too long on Ubuntu already!

[11:33am] stefan-agaric: to see if you have an agent type ssh-add -l
[11:33am] stefan-agaric: it should show something.
[11:33am] benjamin-agaric: while logged in?
[11:33am] stefan-agaric: yes.
[11:33am] stefan-agaric: it shoudl show the same key fingerprint that's shown when doing it locally, if any.
[11:36am] stefan-agaric: if nothing is shown locally, you have to run "exec ssh-agent bash" to start the agent in your terminal.
[11:37am] benjamin-agaric: added at the bottom here: http://agaric.com/note/ssh-agent-forwarding-mac-os-x-debugging
[11:37am] benjamin-agaric: now i have to go back and add what makes it work, hehehe
[11:38am] stefan-agaric: I know MacOSX has some way to start teh agent automatically, too..
[11:43am] stefan-agaric: www.sshkeychain.org
[11:50am] benjamin-agaric: well, trying it on my use case and it doesn't work:
[11:50am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ git pull agaric master
[11:50am] benjamin-agaric: debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
[11:50am] benjamin-agaric: debug1: channel 1: new [authentication agent connection]
[11:50am] benjamin-agaric: debug1: confirm auth-agent@openssh.com
[11:50am] benjamin-agaric: debug1: channel 1: FORCE input drain
[11:50am] benjamin-agaric: Permission denied (publickey).
[11:50am] benjamin-agaric: fatal: The remote end hung up unexpectedly
[11:50am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ debug1: channel 1: free: authentication agent connection, nchannels 2
[11:52am] benjamin-agaric: Ahh, ok:
[11:52am] benjamin-agaric: Ebony-II:.ssh ben$ exec ssh-agent bash
[11:52am] benjamin-agaric: bash-3.2$
[11:52am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ ssh-add -l
[11:52am] benjamin-agaric: debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
[11:52am] benjamin-agaric: debug1: channel 1: new [authentication agent connection]
[11:52am] benjamin-agaric: debug1: confirm auth-agent@openssh.com
[11:52am] benjamin-agaric: The agent has no identities.
[11:52am] benjamin-agaric: debug1: channel 1: FORCE input drain
[11:52am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ debug1: channel 1: free: authentication agent connection, nchannels 2
[11:53am] benjamin-agaric: or not ok?
[11:53am] benjamin-agaric: stefan-agaric: thoughts?
[11:54am] stefan-agaric: it will not have identitites until add them. I think they are added autoatically when using them.
[11:56am] stefan-agaric: try to login and run the command again to see.
[12:02pm] stefan-agaric: to add the standard identities just run ssh-add
[12:02pm] stefan-agaric: do that in the terminal on your laptop where your agent is running.

[12:06pm] stefan-agaric: ok. we must make sure you have the identities loaded into a running agent on your laptop.
[12:06pm] benjamin-agaric: ssh-add
[12:06pm] benjamin-agaric: Identity added: /Users/ben/.ssh/id_rsa (/Users/ben/.ssh/id_rsa)
[12:06pm] benjamin-agaric: Identity added: /Users/ben/.ssh/id_dsa (/Users/ben/.ssh/id_dsa)
[12:07pm] stefan-agaric: now try ssh-add -l
[12:07pm] benjamin-agaric: ssh-add -l
[12:07pm] benjamin-agaric: 2048 03:84:fb:ee:3f:44:ac:c3:4a:17:98:50:bc:93:3e:32 /Users/ben/.ssh/id_rsa (RSA)
[12:07pm] benjamin-agaric: 1024 8e:29:bb:71:70:12:e1:db:da:6a:d6:fe:c4:3e:09:5e /Users/ben/.ssh/id_dsa (DSA)
[12:08pm] stefan-agaric: now try to login to one of our servers and run the same command again.
[12:08pm] benjamin-agaric: reading the ssh -v output, last line: debug1: Requesting authentication agent forwarding.
[12:09pm] benjamin-agaric: Woohooo!!
[12:09pm] benjamin-agaric: cd /var/www/example/
[12:09pm] benjamin-agaric: ben@server:/var/www/example$ git pull agaric master
[12:09pm] benjamin-agaric: debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
[12:09pm] benjamin-agaric: debug1: channel 1: new [authentication agent connection]
[12:09pm] benjamin-agaric: debug1: confirm auth-agent@openssh.com
[12:09pm] benjamin-agaric: debug1: channel 1: FORCE input drain
[12:09pm] benjamin-agaric: debug1: channel 1: free: authentication agent connection, nchannels 2
[12:09pm] benjamin-agaric: From git.agariclabs.com:/srv/git/example
[12:09pm] benjamin-agaric: * branch master -> FETCH_HEAD
[12:09pm] benjamin-agaric: Already up-to-date.

on debian/ubuntu the xserver starts with an ssh-agent. without that or macosx keychain it's not bearable.
there's also a blog post about it: http://www.dribin.org/dave/blog/archives/2007/11/28/ssh_agent_leopard/

 
Post new comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <h1> <h2> <h3> <h4> <h5> <h6> <small> <pre> <strike> <sub> <sup> <kbd> <s>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.