We have four servers at work that we use now; prime, hotrod, prowl and wheeljack. My laptop is called stormshadow and between it and each of the four servers I setup SSH auto-authentication. This is great, but when I log into hotrod, and then into prime, prime didn’t use the auto-authentication because it hadn’t been setup to allow hotrod, only stormshadow. To get around this I used a hack from my copy of O’Reilly’s “Linux Server Hacks”.
ssh-agent basically passes the request down the chain until it finds a server that will validate your credentials. So if I go: stormshadow > hotrod > prime then prime asks hotrod, and hotrod says “yo, Matty’s a good guy” and logs me in. Likewise, if I add prowl to the mix, then prowl asks prime, and prime asks hotrod, and hotrod knows that stormshadow is OK, so it passes back up the chain “OK, let him on”.
I had to setup authentication between stormshadow and each of the servers, which is simple enough. Then I used the following in my .bash_profile:
if [ -f ~/.agent.env ] ; then . ~/.agent.env > /dev/null if ! kill -0 $SSH_AGENT_PID > /dev/null 2>&1; then echo "Stale agent file found. Spawning new agent... " eval `ssh-agent | tee ~/.agent.env` ssh-add fi else echo "Starting ssh-agent" eval `ssh-agent | tee ~/.agent.env` ssh-add fi
This runs the first time I open a shell becuase I have configured GNOME-terminal to pretend it’s a login shell. This part’s important, otherwise your bash startup scripts are not triggered.
Now I can jump from server to server and never enter my password, and it’s no less-secure.
Update: 19/09/2005 03:38PM
You also need to the following:
mlambie@stormshadow:~$ cat .ssh/config ForwardAgent yes
This makes it all work nicely.