Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <42164AA4.6060402@acm.org>
Date: Fri, 18 Feb 2005 12:05:56 -0800
From: David Rothenberger <daveroth AT acm DOT org>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Problem with 20050215 snapshot and ssh-agent forwarding
References: <20050216192355.SUQO15146.out004.verizon.net@[127.0.0.1]> <20050218143035 DOT GA31409 AT gw DOT jsoft DOT lan> <42162434 DOT 8020300 AT acm DOT org> <20050218184114 DOT GG15839 AT trixie DOT casa DOT cgf DOT cx> <42163765 DOT 9060902 AT acm DOT org> <20050218190356 DOT GB17134 AT trixie DOT casa DOT cgf DOT cx>
In-Reply-To: <20050218190356.GB17134@trixie.casa.cgf.cx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out012.verizon.net from [4.65.15.69] at Fri, 18 Feb 2005 14:05:57 -0600
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com

On 2/18/2005 11:03 AM, Christopher Faylor wrote:
> On Fri, Feb 18, 2005 at 10:43:49AM -0800, David Rothenberger wrote:
> 
>>On 2/18/2005 10:41 AM, Christopher Faylor wrote:
>>
>>>>>>I'm having a problem with the 20050215 snapshot (and the 20050131 as
>>>>>>well). My ssh-agent connection is not being forwarded by ssh. This is
>>>>>>working fine with the 20041119 snapshot.
>>>>>>
>>>
>>>I still can't duplicate this.  Sorry.
>>
>>Is SSH_AGENT_PID defined in your environment after the first ssh
>>`hostname`?
> 
> 
> No.  And, it shouldn't be.  SSH_AGENT_PID doesn't make any sense after
> you've logged into a system.

Right. I was asking because the only way I could get this to work was to 
have SSH_AGENT_PID defined.

I'm seeing the problem on two different WinXP Pro machines and a Win2000 
machine. I've tested with the default .profile and .bashrc files and 
with sh instead of bash. So, it doesn't appear to be something peculiar 
to my machine or environment.

I believe the problem is due to the new traverse checking. When I start 
ssh-agent the first time, I see the following in my /tmp directory:

% l /tmp
total 0
drwx------+ 2 drothe None 0 Feb 18 11:47 ssh-YwRaOw6140/

Since /tmp/ssh-YwRaOw6140 is owned by my user (drothe), the first ssh 
`hostname` has no problem accessing the ssh-agent socket.

After I do the first ssh `hostname`, I have the following:

% l /tmp
total 0
drwx------+ 2 SYSTEM root 0 Feb 18 11:50 ssh-AtsnfLH756/
drwx------+ 2 drothe None 0 Feb 18 11:47 ssh-YwRaOw6140/
% getfacl /tmp/ssh-AtsnfLH756/
# file: /tmp/ssh-AtsnfLH756/
# owner: SYSTEM
# group: root
user::rwx
group::---
mask:rwx
other:---
default:user::rwx
default:group::---
default:other:---

Plus, SSH_AUTH_SOCK is set to the new directory:

% echo $SSH_AUTH_SOCK
/tmp/ssh-AtsnfLH756/agent.756

% l $SSH_AUTH_SOCK
srwxrwxrwx  1 drothe None 0 Feb 18 11:57 /tmp/ssh-AtsnfLH756/agent.756=
% getfacl $SSH_AUTH_SOCK
# file: /tmp/ssh-AtsnfLH756/agent.756
# owner: drothe
# group: None
user::rw-
group::rw-
other:rw-
mask:rwx

With traverse checking enabled, my user (drothe) can't access 
/tmp/ssh-AtsnfLH756/agent.756, even though that file (socket?) has 777 
permissions, since the /tmp/ssh-AtsnfLH756 directory is owned by SYSTEM 
and has 700 permissions.  So, the next ssh `hostname` command prompts 
for a passphrase.

With traverse checking disabled, drothe can access 
/tmp/ssh-AtsnfLH756/agent.756 and the next ssh `hostname` command 
succeeds without prompting.

So, I can get this working by defining "CYGWIN=server notraverse" in my 
default environment as well as the sshd environment. Without the 
"notraverse" in the sshd environment, the test fails. I can also get it 
working by manually executing

% chown $USER $(dirname $SSH_AUTH_SOCK)

after the first ssh `hostname`.

-- 
David Rothenberger                spammer? -> spam AT daveroth DOT dyndns DOT org
GPG/PGP: 0x7F67E734, C233 365A 25EF 2C5F C8E1 43DF B44F BA26 7F67 E734

We are what we pretend to be.
		-- Kurt Vonnegut, Jr.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/