Re: [Jailkit-users] ssh agent forwarding difficulties

[Valdemar Lemche]

Olivier Sessink wrote:
> Valdemar Lemche wrote:
>> I followed the howto, Jailkit howto - creating an SSH only shell in a
>> chroot jail
>>
>> Does anyone have any bright ideas how to do ssh agent forwarding from a
>> client, through a bastion host, using a jailkit user, to a final server?
>>
>> Of course it works fine to the bastion host, but from the bastion host
>> to the final server things are not going to well.
>>
>> The agent socket is written to the not chroot'ed /tmp, so I tried
>> copying it to <chroot'ed>/tmp using "cp -r `dirname $SSH_AUTH_SOCK`
>> /chrootusers/tmp" in /etc/ssh/sshrc.
>
> copying sockets doesn't work. You can create the socket, but there is
> no application that listens to traffic on the newly created socket.
>
> I see two possible solutions:
>
> 1) mount the real /tmp/ in the jail:
> mount /tmp/ /srv/jail/tmp -o bind
>
> that way both applications in and outside the jail can use the same
> socket (not 100% sure if it works in reality, but in theory it should
> work)
>
> 2) try if you can configure the ssh utilities to create the socket in
> the jail
>
> Olivier
>
>
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users
It works ... well the remount part ... the forwarding part still doesnt
work. But I found out that the problem is that /usr/sbin/jk_chrootsh
doesn't pass on $SSH_AUTH_SOCK to the chroot'ed shell. Because if I just
start a shell with the the chroot'ed user, and set the SSH_AUTH_SOCK to
the agent socket in the chroot'ed enviroment. Then I do "ssh -A
address@hidden" then it works like a charm.

But I'm a bit unclear on how to wordaround this.