Agent forwarding (the other way around)
Matt Johnston
matt at ucc.asn.au
Tue Jul 5 09:15:07 WST 2005
On Fri, Jul 01, 2005 at 07:02:59PM -0400, Bill Trenker wrote:
> A number of posts here appear to be asking about SSH-Agent authentication
> from dbclient on one machine to an ssh server (eg: openssh) on another
> machine. I'm wondering about the other direction. Is there, or will
> there be, support for an ssl client (I'm using openssl) being able to use
> SSH-Agent auth forwarding to a dbserver? (If this feature already exists,
> I'm having trouble finding documentation.)
>
> Dropbear server works very well with the openssh ssl client, including
> tunnels. Now I'm hoping I can use SSH-Agent auth so that I can use ssl to
> access my dbserver system in some automated scripts.
Dropbear currently only supports agent authentication from
non-dropbear clients to a dropbear server - that's what you
want, right? As long as you make sure that the
ENABLE_AGENTFWD is set in options.h for the dropbear server,
then you should be able to just use
"ssh -A hostrunningdropbear"
where ssh is the openssh client - I use that all the time.
You just need to set up ~/.ssh/authorized_keys the same way
as with openssh server (iirc there's a reasonable IBM
developerworks article).
The reason that agent forwarding is currently only in the
server is that a SSH server can forward an agent connection
treating it as an opaque stream of bytes - that part is
easy. On the other hand for a client to usefully use the
agent, it must request that data be signed by the agent etc.
I haven't implemented that yet, though intend to get around
to it.
Matt
More information about the Dropbear
mailing list