topic Re: SCP and SSH-Agent on SuSE8.1 in Secure OS Software for Linux

SCP and SSH-Agent on SuSE8.1

Michael Armbrecht — Thu, 08 May 2003 09:39:24 GMT

Hi,
I have a problem here on a SuSE8.1 box to get scp to work.
I need to use ssh/scp frequently for shell access and file transfer over a firewall. The ssh version used is OpenSSH_3.4p1.
The setup is thus: Usually a ssh connection is opened with a command similar to "ssh -t @ ssh login@machine". The -t option is necessary because the firewall does not allocate a tty. We have ssh-agents running as well which are called from .xsession at login time on the SuSE box.
Here is the problem: When I login to the SuSE box, ssh-agent reads my passphrase and I can ssh to any system through the firewall without problems. But copying files using scp does not work. The error is: "Need passphrase for . You have no controlling tty. Cannot read passphrase." It seems that scp does not pick up the running ssh-agent, but insists in reading the passphrase again when connecting from the firewall to the target system. "ForwardAgent" is set to "Yes" in ssh_conf. What am I missing? It used to work on a RedHat6.0 box before...

BTW: The scp command used is "scp @:@:"

Thanks for your help
Mick

Re: SCP and SSH-Agent on SuSE8.1

Steven E. Protter — Thu, 08 May 2003 12:43:11 GMT

I have used this doc on red hat to deal with these issues.

Though originally authored for HP-UX, it works, even in a mixed environment.

I think exchanging public keys will solve this problem. This assumes your firewall is stateless and doesn't block port 22.

Attached.

SEP

Re: SCP and SSH-Agent on SuSE8.1

Michael Armbrecht — Thu, 08 May 2003 12:56:16 GMT

Hi Steven,

my public keys are on all remote machines I am connecting to, and connecting with ssh works perfectly. Only scp does not work.

The firewall is actually not a "real" firewall, but an ssh relay, I probably should have said that. So port blocking is not an issue.

As I said before, I have exactly the same setup on a RedHat 6.0 box, and there scp works for some reason. The differences are the SSH version (SSH Version OpenSSH_2.3.0p1 on RedHat) and the ssh agent is called from the .bash_profile instead of .xsession.

Re: SCP and SSH-Agent on SuSE8.1

Steven E. Protter — Thu, 08 May 2003 13:12:10 GMT

You have no controlling tty. Cannot read passphrase.

Thats key. Is the TERM variable set in .bash_profile an .xsession ?

stty -a output should do the same.

This should work. ssh and scp are part of the same tool set.

You might want to try reinstalling the package on the client giving you the trouble. Also, make sure you get any updates or security fixes in.

Head scratcher here, please post resolution so at least I can learn from this.

SEP

Re: SCP and SSH-Agent on SuSE8.1

Michael Armbrecht — Fri, 09 May 2003 07:46:25 GMT

Hi Steven,

> You have no controlling tty. Cannot read passphrase
> Thats key. Is the TERM variable set in .bash_profile an .xsession ?

The problem is that this error message is sent from the ssh relay, not from my local host. $TERM is set to xterm. But on the relay I don't have a tty, that's why I need to use the "-t" option when using ssh.

I have submitted this as a bug to the OpenSSH developers:
http://bugzilla.mindrot.org/show_bug.cgi?id=557

Straight answer I got was to submit a debug trace and upgrade to version 3.6.1, which I will have a look at.

I'll keep you posted.

Mick

Re: SCP and SSH-Agent on SuSE8.1

Michael Armbrecht — Fri, 30 May 2003 12:31:05 GMT

FYI - This has been "solved".

The solution was to remove these two lines from the source file "scp.c":

addargs(&args, "-oForwardAgent no");
addargs(&args, "-oClearAllForwardings yes");

Now it is working. I am still wondering why the options were preset like this in the code, like this scp can't work with a ssh relay that doesn't allocate ttys.

Regards
Mick

Re: SCP and SSH-Agent on SuSE8.1

Steven E. Protter — Fri, 30 May 2003 13:33:32 GMT

I wonder if this is an issue with HP's depot version of the tools.

Thanks for posting your solution.

SEP