User login

SSH agent forwarding on Mac OS X debugging

ssh -v agaric-production

OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /Users/ben/.ssh/config
debug1: Applying options for agaric-production
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to agaricdesign.com [66.135.37.243] port 22.
debug1: Connection established.
debug1: identity file /home/ben/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-cbc hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'agaricdesign.com' is known and matches the RSA host key.
debug1: Found key in /Users/ben/.ssh/known_hosts:33
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ben/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Tried changing back to RSA:

Ebony-II:.ssh ben$ vi config

Ebony-II:.ssh ben$ ssh -v agaric-production
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /Users/ben/.ssh/config
debug1: Applying options for agaric-production
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to agaricdesign.com [66.135.37.243] port 22.
debug1: Connection established.
debug1: identity file /home/ben/.ssh/id_rsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-cbc hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'agaricdesign.com' is known and matches the RSA host key.
debug1: Found key in /Users/ben/.ssh/known_hosts:33
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ben/.ssh/id_rsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Following a model script for Debian on Mac OS X can cause problems-- there is no /home/username on Mac, it's /Users/username.


ben@server:/var/www$ ssh-add -l
debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
debug1: channel 1: new [authentication agent connection]
debug1: confirm auth-agent@openssh.com
The agent has no identities.
debug1: channel 1: FORCE input drain
ben@server:/var/www$ debug1: channel 1: free: authentication agent connection, nchannels 2

stefan-agaric: Ben. on macosx your home directory is not /home/ben, is it?
[11:24am] benjamin-agaric: oy bloody vey
[11:24am] stefan-agaric: debugging helps.
[11:25am] stefan-agaric: without that output I woudl not have guessed it.
[11:25am] benjamin-agaric: $ pwd
[11:25am] benjamin-agaric: gives: /Users/ben/.ssh
[11:26am] benjamin-agaric: I should set up bash to give the full path at all times
[11:26am] benjamin-agaric: i totally forgot that. Too long on Ubuntu already!

[11:33am] stefan-agaric: to see if you have an agent type ssh-add -l
[11:33am] stefan-agaric: it should show something.
[11:33am] benjamin-agaric: while logged in?
[11:33am] stefan-agaric: yes.
[11:33am] stefan-agaric: it shoudl show the same key fingerprint that's shown when doing it locally, if any.
[11:36am] stefan-agaric: if nothing is shown locally, you have to run "exec ssh-agent bash" to start the agent in your terminal.
[11:37am] benjamin-agaric: added at the bottom here: http://agaric.com/note/ssh-agent-forwarding-mac-os-x-debugging
[11:37am] benjamin-agaric: now i have to go back and add what makes it work, hehehe
[11:38am] stefan-agaric: I know MacOSX has some way to start teh agent automatically, too..
[11:43am] stefan-agaric: www.sshkeychain.org
[11:50am] benjamin-agaric: well, trying it on my use case and it doesn't work:
[11:50am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ git pull agaric master
[11:50am] benjamin-agaric: debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
[11:50am] benjamin-agaric: debug1: channel 1: new [authentication agent connection]
[11:50am] benjamin-agaric: debug1: confirm auth-agent@openssh.com
[11:50am] benjamin-agaric: debug1: channel 1: FORCE input drain
[11:50am] benjamin-agaric: Permission denied (publickey).
[11:50am] benjamin-agaric: fatal: The remote end hung up unexpectedly
[11:50am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ debug1: channel 1: free: authentication agent connection, nchannels 2
[11:52am] benjamin-agaric: Ahh, ok:
[11:52am] benjamin-agaric: Ebony-II:.ssh ben$ exec ssh-agent bash
[11:52am] benjamin-agaric: bash-3.2$
[11:52am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ ssh-add -l
[11:52am] benjamin-agaric: debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
[11:52am] benjamin-agaric: debug1: channel 1: new [authentication agent connection]
[11:52am] benjamin-agaric: debug1: confirm auth-agent@openssh.com
[11:52am] benjamin-agaric: The agent has no identities.
[11:52am] benjamin-agaric: debug1: channel 1: FORCE input drain
[11:52am] benjamin-agaric: ben@agaricdesign:/var/www/bfhua$ debug1: channel 1: free: authentication agent connection, nchannels 2
[11:53am] benjamin-agaric: or not ok?
[11:53am] benjamin-agaric: stefan-agaric: thoughts?
[11:54am] stefan-agaric: it will not have identitites until add them. I think they are added autoatically when using them.
[11:56am] stefan-agaric: try to login and run the command again to see.
[12:02pm] stefan-agaric: to add the standard identities just run ssh-add
[12:02pm] stefan-agaric: do that in the terminal on your laptop where your agent is running.

[12:06pm] stefan-agaric: ok. we must make sure you have the identities loaded into a running agent on your laptop.
[12:06pm] benjamin-agaric: ssh-add
[12:06pm] benjamin-agaric: Identity added: /Users/ben/.ssh/id_rsa (/Users/ben/.ssh/id_rsa)
[12:06pm] benjamin-agaric: Identity added: /Users/ben/.ssh/id_dsa (/Users/ben/.ssh/id_dsa)
[12:07pm] stefan-agaric: now try ssh-add -l
[12:07pm] benjamin-agaric: ssh-add -l
[12:07pm] benjamin-agaric: 2048 03:84:fb:ee:3f:44:ac:c3:4a:17:98:50:bc:93:3e:32 /Users/ben/.ssh/id_rsa (RSA)
[12:07pm] benjamin-agaric: 1024 8e:29:bb:71:70:12:e1:db:da:6a:d6:fe:c4:3e:09:5e /Users/ben/.ssh/id_dsa (DSA)
[12:08pm] stefan-agaric: now try to login to one of our servers and run the same command again.
[12:08pm] benjamin-agaric: reading the ssh -v output, last line: debug1: Requesting authentication agent forwarding.
[12:09pm] benjamin-agaric: Woohooo!!
[12:09pm] benjamin-agaric: cd /var/www/example/
[12:09pm] benjamin-agaric: ben@server:/var/www/example$ git pull agaric master
[12:09pm] benjamin-agaric: debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384
[12:09pm] benjamin-agaric: debug1: channel 1: new [authentication agent connection]
[12:09pm] benjamin-agaric: debug1: confirm auth-agent@openssh.com
[12:09pm] benjamin-agaric: debug1: channel 1: FORCE input drain
[12:09pm] benjamin-agaric: debug1: channel 1: free: authentication agent connection, nchannels 2
[12:09pm] benjamin-agaric: From git.agariclabs.com:/srv/git/example
[12:09pm] benjamin-agaric: * branch master -> FETCH_HEAD
[12:09pm] benjamin-agaric: Already up-to-date.

on debian/ubuntu the xserver starts with an ssh-agent. without that or macosx keychain it's not bearable.
there's also a blog post about it: http://www.dribin.org/dave/blog/archives/2007/11/28/ssh_agent_leopard/

Resolution

Searched words: 
ssh agent refresh ssh

Comments

Excellent post!

Thanks for the help, fellas. This was an excellent post and saved my sanity.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use Markdown syntax to format and style the text. Also see Markdown Extra for tables, footnotes, and more.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <small> <h2> <h3> <h4> <h5> <h6> <sub> <sup> <p> <br> <strike> <table> <tr> <td> <thead> <th> <tbody> <tt> <output>
  • Lines and paragraphs break automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.