Friday, July 21, 2017

SSH-Auth-Caret - Use SSH Agent Socket from remote host

Let's say you have two systems that can connect to the same server. Client1 contains a private key and its SSH agent is forwarded to the server. Now you want to use a private key in that agent on Client2. There are ofcourse some security concerns when using SSH Agent Forwarding, so please do a proper security assessment before using any of this information.

        ------------
       | SSH Server |
        ------------
         /a.       \b.
 -----------      ----------      -------------
|  Client 1 |    | Client 2 | c. | Auth.Server |
| |=        |    |          |----| (eg Github) |
| | prv.key |    | ssh/git/ |     -------------
| O         |    | other    |
 -----------      ----------


a. Setup an SSH connection from Client1 to the server, with SSH Agent Forwarding.

On to the server find the socket you want to use. Assuming the sockets are in /tmp/ssh-* and named agent.*, you can use:

server> for SOCK in /tmp/ssh-*/agent*; do export SSH_AUTH_SOCK=$SOCK; echo $SSH_AUTH_SOCK; ssh-add -l; echo; done

b. Copy or note the path of the socket that has the key you'd like to use. Then connect to the server, from client2, and specify a socket forward:

client2> ssh -o StreamLocalBindUnlink=yes -L/tmp/agent-server:/tmp/ssh-S0ck3t/agent.12345 server.example

The StreamLocalBindUnlink=yes allows ssh to remove the local socket (/tmp/agent-server) if it already exists.

/tmp/agent-server is the name of the local socket, you can choose this freely.

/tmp/ssh-S0ck3t/agent.12345 is the copied or noted path of the socket on the server.

c. Keep the SSH connection to the server open. In another terminal you can now use the socket by specifying it in SSH_AUTH_SOCKET:

client2> export SSH_AUTH_SOCK=/tmp/agent-server
client2> ssh-add -l


I've made a script to help finding and selecting the right socket. You can find it on GitHub:
https://gist.github.com/qistoph/9e16577788e0c28c9fd27ed09b4fbdd2