Re: How does one enable authentication forwarding for ssh connections?

[erkif...@gmail.com]

Hi Robert,

On 2020-03-04 09:06, Robert Rothenberg wrote:
>I have some servers that require authentication forwarding in ssh to be
>able to run some commands. It looks like rex is ignoreing the .ssh/config
>options that enable authentication forwarding. How can I enable this?

I think currently the best way would be to use Net::OpenSSH (default ssh
backend of Rex), since that supports agent forwarding:
https://metacpan.org/pod/Net::OpenSSH#forward_agent

To pass that constructor parameter from a Rexfile, one could use the
following:

Rex::Config->set_openssh_opt(
initialize_options => {
forward_agent => 1,
},
);

One idea for the future is to let this layer just use whatever is in
~/.ssh/config, but it's not there yet.

Hope this helps!

Cheers,
FErki

[rob...@gmail.com]

I have several servers that pull repos from github. They are configured for forwarding the agent in .ssh/config, and using Rex I can pull from git repos on all of them.

But on a new server this doesn't work. I get an error in Rex

> [2020-12-04 14:45:03] DEBUG - SSH/executing: LC_ALL=C ; export LC_ALL; PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin; export PATH; cd /use/local/xyzapp/ && git pull  origin master 
> ...

> [2020-12-04 14:45:03] DEBUG - g...@github.com: Permission denied (publickey).

If I run the following from the command line, it works fine:

  ssh server "LC_ALL=C ; export LC_ALL; PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin; export PATH; cd /use/local/xyzapp/ && git pull  origin master"

The ssh configuration on that server, and my ~/.ssh/config are consistent with other servers, allowing agent forwarding.

I'm using Rex 1.12

How can I diagnose what's going on?

[erkif...@gmail.com]

Hi Rob,

On 2020-12-04 06:59, rob...@gmail.com wrote:
> ssh server "LC_ALL=C ; export LC_ALL;
> PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/pkg/bin:/usr/pkg/sbin;
> export PATH; cd /use/local/xyzapp/ && git pull origin master"

hmm, just noticed that the path after `cd` seems to start with `/use`;
I'm not sure if that's intentional, or just a typo instead of `/usr`.

>
>The ssh configuration on that server, and my ~/.ssh/config are consistent
>with other servers, allowing agent forwarding.
>
>I'm using Rex 1.12
>
>How can I diagnose what's going on?

First I would check which SSH backend module Rex is using for that
connection. It can be either Net::SSH2 or Net::OpenSSH based on feature
flags, operating system, availability of the module, rex configuration,
etc. The debug output should show that somewhere at the beginning with
`rex -d ...`.

Then I'd continue debugging based on that module's documentation.

For example Net::OpenSSH used the ssh binary and therefore it should
support `~/.ssh/config` too. In case there's some interference with Rex,
it's possible to force constructor options by configuring
`set_openssh_option` in the Rexfile or modules
(see https://metacpan.org/pod/Rex::Config#set_openssh_opt). Should you
need more info, Net::OpenSSH has its own debugging options too:
https://metacpan.org/pod/Net::OpenSSH#DEBUGGING.

In contrast, Net::SSH2 relies on libssh2 under the hood, and thus
doesn't use `~/.ssh/config`. In this case some of the options might be
configured by Rex, but it's probably better to use Net::OpenSSH if
possible (for example with `set connection => "OpenSSH";`). I expect
Net::SSH2 also has its own debugging features for more detailed
debugging of what it thinks about the connection.

Hope this helps to track your issue down!

Cheers,
FErki