[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] ssh agent forwarding difficulties

From: Valdemar Lemche
Subject: Re: [Jailkit-users] ssh agent forwarding difficulties
Date: Mon, 06 Aug 2007 00:17:52 +0200
User-agent: Thunderbird (Windows/20070728)

Olivier Sessink wrote:
> Valdemar Lemche wrote:
>> I followed the howto, Jailkit howto - creating an SSH only shell in a
>> chroot jail
>> Does anyone have any bright ideas how to do ssh agent forwarding from a
>> client, through a bastion host, using a jailkit user, to a final server?
>> Of course it works fine to the bastion host, but from the bastion host
>> to the final server things are not going to well.
>> The agent socket is written to the not chroot'ed /tmp, so I tried
>> copying it to <chroot'ed>/tmp using "cp -r `dirname $SSH_AUTH_SOCK`
>> /chrootusers/tmp" in /etc/ssh/sshrc.
> copying sockets doesn't work. You can create the socket, but there is
> no application that listens to traffic on the newly created socket.
> I see two possible solutions:
> 1) mount the real /tmp/ in the jail:
> mount /tmp/ /srv/jail/tmp -o bind
> that way both applications in and outside the jail can use the same
> socket (not 100% sure if it works in reality, but in theory it should
> work)
> 2) try if you can configure the ssh utilities to create the socket in
> the jail
> Olivier
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users
It works ... well the remount part ... the forwarding part still doesnt
work. But I found out that the problem is that /usr/sbin/jk_chrootsh
doesn't pass on $SSH_AUTH_SOCK to the chroot'ed shell. Because if I just
start a shell with the the chroot'ed user, and set the SSH_AUTH_SOCK to
the agent socket in the chroot'ed enviroment. Then I do "ssh -A
address@hidden" then it works like a charm.

But I'm a bit unclear on how to wordaround this.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]