Ssh-agent key timeout with screen or tmux on bastion host

gnu-screensshssh-agenttmux

Normally I have ssh-agent running, I ssh to my bastion host then open a tmux session and connect to other boxes through that. Key forwarding works for any sessions that I open from that point forward.

If I resume my tmux session after closing terminal, sleeping my laptop, whatever, my key forwarding on my bastion sessions still work, as does forwarding on any new sessions. Existing ones don't work, though.

I have a little thing in my bashrc that keeps key forwarding working when I resume tmux, but I am having trouble figuring out how to get it to keep working for sessions open within tmux.

For example, I have bastion01, dbhost01, dbhost02, webhost01, and webhost02.

If I open a connection to bastion01, start tmux there, and then connect to dbhost01 and webhost01 forwarding works. If I close that connection, reconnect and attach my existing tmux session, then add connections to dbhost02 and webhost02, key forwarding works on the 02 boxes, but does not on the 01.

Please help!

Best Answer

Each time you ssh into bastion01, a different socket is opened to handle the key forwarding. You can see the filename in the environment variable SSH_AUTH_SOCK. When you start tmux, the value of that environment variable is included in tmux's global environment, which is inherited by any shells started in that session.

Now, when you reconnect to bastion01 later, a different socket is allocated to handle your key forwarding (since it's a new ssh session). You can see this by examining the value of SSH_AUTH_SOCK before you re-attach to your tmux session and after. In order for key forwarding to work inside tmux, you need to update the value of SSH_AUTH_SOCK inside tmux to the name of the socket being used by the current ssh session.

A quick-and-dirty way to do this is to write a short script that will save this new value to a file, and execute that inside any tmux window where you will be ssh-ing from.

#!/bin/bash

echo "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK" > ~/.auth_ssh

Execute that script as soon as you ssh into bastion01, but before you re-attach to your tmux session. Then, before you try to ssh anywhere from inside tmux, run the following:

source ~/.auth_ssh

Each tmux window has its own environment, so you'll need to run that in each window where you try to run ssh. For simplicity, you can alias ssh to do it for you:

alias ssh="source ~/.auth_ssh; ssh"

Note: this is a gross oversimplification of a script we use at work to update the SSH authorization information. If it doesn't work quite right, I hope this at least gives you enough information to google a better solution (or someone else posts a better solution here).

Related Solutions

How to get screen to automatically connect to the current ssh-agent when re-attaching to an existing screen

1) In your SSH rc script (~/.ssh/rc) you will set up a symbolic link from a canonical location to the "current" SSH_AUTH_SOCK. Here's how I do it in bash (content of ~/.ssh/rc):

#!/bin/bash
if test "$SSH_AUTH_SOCK" ; then
    ln -sf $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock
fi

(and make sure to chmod 755 ~/.ssh/rc). The "test" is just to prevent an error from displaying if you aren't running ssh-agent (ie you ssh without -A). The second half of that command sets up a symlink in a canonical location that updates itself to the "real" SSH_AUTH_SOCK at login time. This is independent of using a shell in ssh or calling a command directly, works also with "ssh -t screen -RRD".

Note: the existence of ~/.ssh/rc changes the behaviour of sshd. Notably, it will not call xauth. See man sshd for more information, and how to fix this.

Also, you should not use "-v" with ln as soon as it will break rsync-over-ssh with following diagnostics:

$ rsync -n addr.maps.dev.yandex.net: .
protocol version mismatch -- is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(173) [Receiver=3.0.7]

2) In your .screenrc, you just need to override the SSH_AUTH_SOCK to the canonical location:

setenv SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock

Note that you use setenv no matter what shell you use; I think that setenv is screen syntax, not the shell.

Solution originally adapted from this post, which doesn't work, but has the right idea.

Is it possible to spawn an ssh-agent for a new tmux session

OK I've done some more digging around and I should be able to easily hook to whatever SSH_AGENT is around when the terminal is attached. tmux already provides the key configuration "update-environment" however the missing piece is existing shells are not magically updated. However tmux does track the environment variables updated so the update script is a lot less hacky than screens:


# Sync the environment of an existing shell
#
#  tmux already updates the environment according to
#  the update-environment settings in the config. However
#  for existing shells you need to sync from from tmux's view
#  of the world.
function tmux_sync_env
{
    external_env=`tmux showenv | grep -v "^-"`
    export ${external_env}
}

From this commit

Best Answer

Related Solutions

How to get screen to automatically connect to the current ssh-agent when re-attaching to an existing screen

Is it possible to spawn an ssh-agent for a new tmux session

Related Question