Project

General

Profile

Feature #21850

Support ForwardAgent in SSH Proxy

Added by Adam Ruzicka over 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1362644

Description of problem:
The ruby library we use reads ~foreman-proxy/ssh/config, and supports a number of options1 including ForwardAgent, however unlike the SSH CLI, it does not start an agent if one's not started. So, we would need to actually start an agent.

Version-Release number of selected component (if applicable):
6.2 GA

How reproducible:
Always

Steps to Reproduce:
1. Configure ~foreman-proxy/.ssh/config as such:

Host *
ForwardAgent yes
StrictHostKeyChecking no # just for testing

2. Create a job in Satellite that SSH's to another host that is configured to allow foreman-proxy keys, e.g the satellite itself

ssh localhost hostname -f

Actual results:
Job fails, agent is not used. If you look at SSH logs (see ), you'll see this:

I, [2016-08-02T13:04:47.697219 #1422] INFO -- net.ssh.service.forward[253c094]: opening auth-agent channel
D, [2016-08-02T13:04:47.697262 #1422] DEBUG -- net.ssh.authentication.agent[14d9af8]: connecting to ssh-agent
E, [2016-08-02T13:04:47.697305 #1422] ERROR -- net.ssh.authentication.agent[14d9af8]: could not connect to ssh-agent
E, [2016-08-02T13:04:47.697340 #1422] ERROR -- net.ssh.service.forward[253c094]: attempted to connect to agent but failed: Net::SSH::Authentication::AgentNotAvailable (no implicit conversion of nil into String)
E, [2016-08-02T13:04:47.697378 #1422] ERROR -- net.ssh.connection.session[255524c]: [2, "could not connect to authentication agent"]

Expected results:
Job succeeds

Additional info:

You can make it work by editing connector.rb and starting an agent before we do Net::SSH.start.

Of course this should be refactored, and a single agent should be used for the life of the dynflow process, but this works:

vars = `ssh-agent`
vars = vars.split(';').reject { |r| !r.strip.include?('=') }
vars.each do |var|
name, value = var.split('=')
ENV[name.strip] = value.strip
end

`ssh-add ~/.ssh/id_rsa_foreman_proxy` # add our identity to the agent

History

#1 Updated by Adam Ruzicka over 2 years ago

  • Target version set to 113

Also available in: Atom PDF