Re: [Jailkit-users] ssh agent forwarding difficulties

[Valdemar Lemche]

Olivier Sessink wrote:

Should I write an amendment to your SSH howto about ssh agent forwarding?

yes I think that could help a lot of people.

Olivier


_______________________________________________
Jailkit-users mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/jailkit-users

ok, I've 'compiled' a small section that should be placed between "Getting X forwarding to work trough the jail." and "Finalizing".

Using SSH agent forwarding

To increase the security when authenticating with the SSH daemon on the internal server, you should use SSH agent forwarding rather than password authentication.
The concept is to use the key from the SSH client, trough the firewall using jailkit, to authenticate to the with SSH daemon on internal server.

+-----------+                      +-----------+                      +-----------+
|  SSH      |    SSH client        | Firewall  |    SSH agent         | Internal  |
|  Client   +--> authenticating >--+ (Jailkit) +--> forwarding key >--+ Server    |
|           |    with key          |           |    from client       |           |
+-----------+                      +-----------+                      +-----------+

Now before configuring Jailkit, you need to configure forwarding on the client and on the firewall. Please refer to the documentation of your respectable SSH implementations. E.g. "man ssh" or the help file of PuTTY if you're running windows.

When a user logs in to a ssh daemon, using key authentication and agent forwarding. Then sshd on the firewall creates a socket under /tmp, which new ssh connection in the current session can use to authenticate to next server with. And to make Jailkit work with agent forwarding you need to make the ssh agent socket created in /tmp available to the chroot'ed enviroment. So you need to mount /tmp inside the chroot'ed enviroment using either "mount -o bind /tmp /home/chrootusers/tmp" or add the following line to /etc/fstab:

/tmp /home/chrootusers/tmp auto bind 0 0

And then run "mount /home/chrootusers/tmp" afterwards of course.

Next, the variable SSH_AUTH_SOCK contains the full path to the socket that sshd on the firewall created, when the user logged in. Which mean that you also need to ensure that SSH_AUTH_SOCK is forwarded by jk_chrootsh to the chroot'ed user's enviroment, so edit /etc/jailkit/jk_chrootsh.ini, and add SSH_AUTH_SOCK to "env =" directive under the chroot'ed user, like this:

[john]
env= DISPLAY, XAUTHORITY, TERM, SSH_AUTH_SOCK

Right then! So now you can connect to your internal server without using any password authentication, except that you have to use a password to access your private key ... I mean, you did put a passphrase on your private SSH key, RIGHT?