ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1‘s public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA‘s /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Related Posts:

  1. Copying a local file from Windows to a remote server using scp
  2. How can I run arbitrarily complex command using sudo over ssh?
  3. Git: How to solve Permission denied (publickey) error when using Git?
  4. Could not open a connection to your authentication agent
  5. Could not open a connection to your authentication agent
  6. Putty: Getting Server refused our key Error
  7. ssh: The authenticity of host ‘hostname’ can’t be established
  8. ssh “permissions are too open” error
  9. Permission denied (publickey,keyboard-interactive)
  10. How to deal with “Pseudo-terminal will not be allocated because stdin is not a terminal.”
  11. What is actually in known_hosts?
  12. ‘heroku’ does not appear to be a git repository
  13. How to solve “sign_and_send_pubkey: signing failed: agent refused operation”?
  14. How to fix request failed on channel 0
  15. How to scp in Python?
  16. Forward X11 failed: Network error: Connection refused
  17. PuTTY PSCP error “Local to local copy not supported” when username contains a slash
  18. Starting ssh-agent on Windows 10 fails: “unable to start ssh-agent service, error :1058”
  19. Git error: “Host Key Verification Failed” when connecting to remote repository
  20. Convert PEM to PPK file format
  21. Copying files using rsync from remote server to local machine
  22. How to read iPhone files without jailbreaking?
  23. SSH to Vagrant box in Windows?
  24. How to use Sublime over SSH
  25. Use qdel to delete all my jobs at once, not one at a time
  26. Automating command/script execution using PuTTY
  27. Public and Private Keys are Incorrect for user
  28. How to automate SSH login with password?
  29. ssh returns “Bad owner or permissions on ~/.ssh/config”
  30. How do I change my private key passphrase?
  31. Create a public SSH key from the private key?
  32. How do diff over ssh?
  33. “Add correct host key in known_hosts” / multiple ssh host keys per hostname?
  34. SSH use only my password, Ignore my ssh key, don’t prompt me for a passphrase
  35. Non interactive git clone (ssh fingerprint prompt) [duplicate]
  36. How to check sshd log?
  37. What does “Warning: untrusted X11 forwarding setup failed: xauth key data not generated” mean when ssh’ing with -X?
  38. What’s the difference between authorized_keys and authorized_keys2?
  39. Is my password compromised because I forgot to hit Enter after ssh username?
  40. How do I make ssh fail rather than prompt for a password if the public-key authentication fails?
  41. ssh-keygen does not create RSA private key
  42. OpenSSH: Difference between internal-sftp and sftp-server
  43. What significance does the user/host at the end of an SSH public key file hold?
  44. SSH Suddenly returning Invalid format
  45. How can I prevent the warning No xauth data; using fake authentication data for X11 forwarding?
  46. How to recover from “Too many Authentication Failures for user root”
  47. SFTP logging: is there a way?
  48. Why does my OpenSSH key fingerprint not match the AWS EC2 console keypair fingerprint?
  49. Login without running bash_profile or bashrc
  50. How do I do Multihop SCP transfers between machines?
  51. scp without known_hosts check
  52. How do I validate an RSA SSH public key file (id_rsa.pub)?
  53. Add comment to existing SSH public key
  54. ssh connection takes forever to initiate, stuck at “pledge: network”
  55. What is the benefit of not allocating a terminal in ssh?
  56. bad ownership or modes for chroot directory component
  57. Why Block Port 22 Outbound?
  58. Ansible stuck on gathering facts
  59. Is it possible to use rsync over sftp (without an ssh shell)?
  60. SSH Allow Password For One User, Rest Only Allow Public Keys [duplicate]
  61. Why is ssh agent forwarding not working?
  62. ssh : Permission denied (publickey,gssapi-with-mic)
  63. ssh connect Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
  64. How to fix ‘sudo: no tty present and no askpass program specified’ error?
  65. How to set ssh timeout?
  66. sudo: apt-get: command not found
  67. ssh: Could not resolve hostname [hostname]: nodename nor servname provided, or not known
  68. Pseudo-terminal will not be allocated because stdin is not a terminal
  69. CentOS error – sudo: effective uid is not 0, is sudo installed setuid root?
  70. Getting “socket.error: [Errno 61] Connection refused” python paramiko
  71. X Error of failed request: BadValue (integer parameter out of range for operation)
  72. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  73. Copying files from server to local computer using SSH
  74. Could not create work tree dir ‘example.com’.: Permission denied
  75. Paramiko’s SSHClient with SFTP
  76. ERROR: While executing gem … (Gem::FilePermissionError)
  77. Why does WordPress need my private ssh key to update?
  78. How can I use WP-CLI commands without –allow-root
  79. Configure WordPress to connect to Mysql DB using SSH tunneling
  80. WP-CLI alias: connect with ssh proxy
  81. WPTerm ssh connection not working [closed]
  82. Server configuration for WordPress – Do I need install PHP-SSH extensions for WordPress on Fedora28?
  83. After upgrade to php 7 plugin/them updates broke [closed]
  84. Index.php using 100% CPU [closed]
  85. Public and Private keys incorrect for user
  86. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  87. How to setup passwordless `sudo` on Linux?
  88. Keeping a linux process running after I logout
  89. Why do consoles sometimes hang forever when SSH connection breaks?
  90. How to check if an RSA public / private key pair match
  91. Why does sudo command take long to execute?
  92. How can I automatically change directory on ssh login?
  93. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  94. Can you have more than one ~/.ssh/config file?
  95. SSH from A through B to C, using private key on B [closed]
  96. How can I edit the welcome message when ssh start?
  97. SSHFS mount that survives disconnect
  98. Temporarily ignore my `~/.ssh/known_hosts` file?
  99. sudoers: how to disable requiretty per user
  100. Using wp-cli on remote with quoted commands

Leave a Comment

tech