Problem with 20050215 snapshot and ssh-agent forwarding

David Rothenberger daveroth@acm.org
Sat Feb 19 10:14:00 GMT 2005


On 2/18/2005 11:03 AM, Christopher Faylor wrote:
> On Fri, Feb 18, 2005 at 10:43:49AM -0800, David Rothenberger wrote:
> 
>>On 2/18/2005 10:41 AM, Christopher Faylor wrote:
>>
>>>>>>I'm having a problem with the 20050215 snapshot (and the 20050131 as
>>>>>>well). My ssh-agent connection is not being forwarded by ssh. This is
>>>>>>working fine with the 20041119 snapshot.
>>>>>>
>>>
>>>I still can't duplicate this.  Sorry.
>>
>>Is SSH_AGENT_PID defined in your environment after the first ssh
>>`hostname`?
> 
> 
> No.  And, it shouldn't be.  SSH_AGENT_PID doesn't make any sense after
> you've logged into a system.

Right. I was asking because the only way I could get this to work was to 
have SSH_AGENT_PID defined.

I'm seeing the problem on two different WinXP Pro machines and a Win2000 
machine. I've tested with the default .profile and .bashrc files and 
with sh instead of bash. So, it doesn't appear to be something peculiar 
to my machine or environment.

I believe the problem is due to the new traverse checking. When I start 
ssh-agent the first time, I see the following in my /tmp directory:

% l /tmp
total 0
drwx------+ 2 drothe None 0 Feb 18 11:47 ssh-YwRaOw6140/

Since /tmp/ssh-YwRaOw6140 is owned by my user (drothe), the first ssh 
`hostname` has no problem accessing the ssh-agent socket.

After I do the first ssh `hostname`, I have the following:

% l /tmp
total 0
drwx------+ 2 SYSTEM root 0 Feb 18 11:50 ssh-AtsnfLH756/
drwx------+ 2 drothe None 0 Feb 18 11:47 ssh-YwRaOw6140/
% getfacl /tmp/ssh-AtsnfLH756/
# file: /tmp/ssh-AtsnfLH756/
# owner: SYSTEM
# group: root
user::rwx
group::---
mask:rwx
other:---
default:user::rwx
default:group::---
default:other:---

Plus, SSH_AUTH_SOCK is set to the new directory:

% echo $SSH_AUTH_SOCK
/tmp/ssh-AtsnfLH756/agent.756

% l $SSH_AUTH_SOCK
srwxrwxrwx  1 drothe None 0 Feb 18 11:57 /tmp/ssh-AtsnfLH756/agent.756=
% getfacl $SSH_AUTH_SOCK
# file: /tmp/ssh-AtsnfLH756/agent.756
# owner: drothe
# group: None
user::rw-
group::rw-
other:rw-
mask:rwx

With traverse checking enabled, my user (drothe) can't access 
/tmp/ssh-AtsnfLH756/agent.756, even though that file (socket?) has 777 
permissions, since the /tmp/ssh-AtsnfLH756 directory is owned by SYSTEM 
and has 700 permissions.  So, the next ssh `hostname` command prompts 
for a passphrase.

With traverse checking disabled, drothe can access 
/tmp/ssh-AtsnfLH756/agent.756 and the next ssh `hostname` command 
succeeds without prompting.

So, I can get this working by defining "CYGWIN=server notraverse" in my 
default environment as well as the sshd environment. Without the 
"notraverse" in the sshd environment, the test fails. I can also get it 
working by manually executing

% chown $USER $(dirname $SSH_AUTH_SOCK)

after the first ssh `hostname`.

-- 
David Rothenberger                spammer? -> spam@daveroth.dyndns.org
GPG/PGP: 0x7F67E734, C233 365A 25EF 2C5F C8E1 43DF B44F BA26 7F67 E734

We are what we pretend to be.
		-- Kurt Vonnegut, Jr.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list