SSH agent forwarding

[Passerini Marco <ma...@cscs.ch>]

From my tests is seems that in Guacamole the ssh-agent is not forwarded through the terminal. I can configur keys to SSH into a host from the web, but if from the terminal CLI I want to do SSH to another host, I will need to re-authenticate. Is this correct?

I saw there's some code about the SSH-agent but I guess it confirms this behaviour?

https://github.com/apache/guacamole-server/blob/c449d83790628182360056d531e7017acd65186b/src/protocols/ssh/ssh_agent.c

Is there any plan to implement this?


Regards,

Marco Passerini

Re: SSH agent forwarding

[Mike Jumper <mj...@apache.org>]

On Tue, Feb 9, 2021 at 7:09 AM Passerini Marco <ma...@cscs.ch>
wrote:

> From my tests is seems that in Guacamole the ssh-agent is not forwarded
> through the terminal. I can configur keys to SSH into a host from the web,
> but if from the terminal CLI I want to do SSH to another host, I will need
> to re-authenticate. Is this correct?
>

There is agent forwarding support present, but it depends on a patched
libssh2. The libssh2 library does not otherwise provide support for SSH
agent forwarding that would be usable by Guacamole. The presence/absence of
this support is detected at build time.

I saw there's some code about the SSH-agent but I guess it confirms this
> behaviour?
>
>
> https://github.com/apache/guacamole-server/blob/c449d83790628182360056d531e7017acd65186b/src/protocols/ssh/ssh_agent.c
>
> Is there any plan to implement this?
>

It is already implemented. The code you link to above is the implementation.

I haven't checked whether migrating from libssh2 back to libssh would allow
this to be implemented without a patch. Guacamole's SSH support was
originally built off libssh, and was migrated to libssh2 to implement SSH
agent forwarding. Neither library had support for agent forwarding that
could be used by Guacamole as-is, but there were patches available for
libssh2 that added it.

- Mike