This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Problem with 20050215 snapshot and ssh-agent forwarding


On 2/18/2005 11:03 AM, Christopher Faylor wrote:
On Fri, Feb 18, 2005 at 10:43:49AM -0800, David Rothenberger wrote:

On 2/18/2005 10:41 AM, Christopher Faylor wrote:

I'm having a problem with the 20050215 snapshot (and the 20050131 as
well). My ssh-agent connection is not being forwarded by ssh. This is
working fine with the 20041119 snapshot.


I still can't duplicate this. Sorry.

Is SSH_AGENT_PID defined in your environment after the first ssh `hostname`?


No.  And, it shouldn't be.  SSH_AGENT_PID doesn't make any sense after
you've logged into a system.

Right. I was asking because the only way I could get this to work was to have SSH_AGENT_PID defined.


I'm seeing the problem on two different WinXP Pro machines and a Win2000 machine. I've tested with the default .profile and .bashrc files and with sh instead of bash. So, it doesn't appear to be something peculiar to my machine or environment.

I believe the problem is due to the new traverse checking. When I start ssh-agent the first time, I see the following in my /tmp directory:

% l /tmp
total 0
drwx------+ 2 drothe None 0 Feb 18 11:47 ssh-YwRaOw6140/

Since /tmp/ssh-YwRaOw6140 is owned by my user (drothe), the first ssh `hostname` has no problem accessing the ssh-agent socket.

After I do the first ssh `hostname`, I have the following:

% l /tmp
total 0
drwx------+ 2 SYSTEM root 0 Feb 18 11:50 ssh-AtsnfLH756/
drwx------+ 2 drothe None 0 Feb 18 11:47 ssh-YwRaOw6140/
% getfacl /tmp/ssh-AtsnfLH756/
# file: /tmp/ssh-AtsnfLH756/
# owner: SYSTEM
# group: root
user::rwx
group::---
mask:rwx
other:---
default:user::rwx
default:group::---
default:other:---

Plus, SSH_AUTH_SOCK is set to the new directory:

% echo $SSH_AUTH_SOCK
/tmp/ssh-AtsnfLH756/agent.756

% l $SSH_AUTH_SOCK
srwxrwxrwx  1 drothe None 0 Feb 18 11:57 /tmp/ssh-AtsnfLH756/agent.756=
% getfacl $SSH_AUTH_SOCK
# file: /tmp/ssh-AtsnfLH756/agent.756
# owner: drothe
# group: None
user::rw-
group::rw-
other:rw-
mask:rwx

With traverse checking enabled, my user (drothe) can't access /tmp/ssh-AtsnfLH756/agent.756, even though that file (socket?) has 777 permissions, since the /tmp/ssh-AtsnfLH756 directory is owned by SYSTEM and has 700 permissions. So, the next ssh `hostname` command prompts for a passphrase.

With traverse checking disabled, drothe can access /tmp/ssh-AtsnfLH756/agent.756 and the next ssh `hostname` command succeeds without prompting.

So, I can get this working by defining "CYGWIN=server notraverse" in my default environment as well as the sshd environment. Without the "notraverse" in the sshd environment, the test fails. I can also get it working by manually executing

% chown $USER $(dirname $SSH_AUTH_SOCK)

after the first ssh `hostname`.

--
David Rothenberger                spammer? -> spam@daveroth.dyndns.org
GPG/PGP: 0x7F67E734, C233 365A 25EF 2C5F C8E1 43DF B44F BA26 7F67 E734

We are what we pretend to be.
		-- Kurt Vonnegut, Jr.


-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]