即使使用“ssh -A”，SSH 代理转发也不起作用

首先，我检查了以下所有内容

• 代理转发不起作用
• ssh-agent 转发需要额外配置吗？
• SSH 代理转发不起作用
• https://serverfault.com/questions/404447/why-is-ssh-agent-forwarding-not-working
• https://apple.stackexchange.com/questions/37184/ssh-a-doesnt-properly-enable-forwarding-of-authentication-agent-connection

但都没有帮助。所以，我的问题如下：

我可以从 A 到 B，或者从 A 到 C 进行 SSH，但不能从 A 到 B，再从 B 到 C。当从 A 连接到 B 或 C 时，我总是使用ssh -A强制 SSH 代理转发。
但为什么我仍然无法连接A -> B -> C而不要求输入密码？

更新：近三年过去了，同样的问题仍然困扰着我，但现在我已经将问题缩小了一点：

症状：我可以 sshA -> B或A -> C，但不能A -> B -> C或A -> C -> B。

该问题正是由主题描述的——SSH 代理转发不起作用。

从

排查 SSH 问题
https://confluence.atlassian.com/bitbucket/troubleshoot-ssh-issues-271943403.html

它说：

要列出已加载的密钥，请输入ssh-add -l。如果您没有看到要使用的 SSH 密钥...

那么就有问题了——您想要使用的 SSH 密钥尚未加载。

这就是我在A -> B或时发生的情况A -> C。也就是说，在我进入中间服务器之后ssh -A。SSH 密钥丢失、未转发且未加载。

$ ssh-add -l
The agent has no identities.

这就是为什么没有密码我就无法继续 ssh 的原因。

它确实有SSH_AUTH_SOCK可变的设置和几个ssh-agent周围的设置：

$ echo "$SSH_AUTH_SOCK"
/tmp/ssh-RtEuLOmFDBet/agent.3722

$ ps -e  | grep [s]sh-agent
 3723 ?        00:00:00 ssh-agent
 4613 ?        00:00:00 ssh-agent

它似乎与我自己的环境无关，因为它们是相同的，或者文件/etc/ssh/sshd_config，因为我比较了来自中间服务器的正在工作或不工作的那些。

更新结束。

更多信息：所有三台机器都配置了标准的 Ubuntu ssh 配置。也就是说，选项AllowAgentForwarding不在 中/etc/ssh/sshd_config，尽管我怀疑它是否应该，因为我看到“由于代理转发默认处于开启状态，因此从 sshd_config 中删除任何 AllowAgentForwarding 行就足够了。”从ssh-agent 转发需要额外配置吗？。

有人说ssh-add可以，但是当我在 B 或 C 上执行此操作时，它会要求我检查Enter passphrase for。.ssh/id_rsa有人说检查SSH_AUTH_SOCK，但我在 B 或 C 上有它（从 A 到 B，或从 A 到 C）：

$ env | grep SSH_AUTH_SOCK
SSH_AUTH_SOCK=/tmp/ssh-RTScJ5PZh9Mh/agent.2083

代理转发是否因为缺少AllowAgentForwarding选项而无法工作？那么我应该把它放在哪一个（A、B 还是 C）中？不够吗ssh -A？另外我在 B 和 C 上都有 文件，这就是要求输入密码的.ssh/id_rsa原因吗？ssh-add

编辑：

-Avvv这是从 B 到 C的对数：

OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/myid/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to boxc.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/myid/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/myid/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/myid/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/myid/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/myid/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/myid/.ssh/id_dsa-cert type -1
debug1: identity file /home/myid/.ssh/id_ecdsa type -1
debug1: identity file /home/myid/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6
debug1: match: OpenSSH_6.2p2 Ubuntu-6 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: boxc
debug3: load_hostkeys: loading entries for host "boxc" from file "/home/myid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myid/.ssh/known_hosts:15
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found [email protected]
debug1: kex: server->client aes128-ctr [email protected] [email protected]
debug2: mac_setup: found [email protected]
debug1: kex: client->server aes128-ctr [email protected] [email protected]
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA ed:26:20:93:4c:88:ef:17:70:e3:d4:7a:42:4c:8e:69
debug3: put_host_port: [192.168.2.122]:21
debug3: put_host_port: boxc
debug3: load_hostkeys: loading entries for host "boxc" from file "/home/myid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myid/.ssh/known_hosts:15
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries from file "/home/myid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myid/.ssh/known_hosts:16
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'boxc' is known and matches the RSA host key.
debug1: Found key in /home/myid/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/myid/.ssh/id_rsa (0x7f7e....e760),
debug2: key: /home/myid/.ssh/id_dsa (0x7f7e....e7a0),
debug2: key: /home/myid/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myid/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp 22:32:...:1d:e3
debug3: sign_and_send_pubkey: RSA 22:32:...:1d:e3
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/myid/.ssh/id_rsa': 

我与我的正常会话 (A->C) 进行了比较，发现除了最后 3 行以“ key_parse_private_pem: PEM_read_PrivateKey failed”开头外，其余都没有什么不同。正常会话却有：

debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to boxc

其余一切都相同。

再次，我的环境：

$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:6.2p2-6ubuntu0.1
  Candidate: 1:6.2p2-6ubuntu0.4
  Version table:
     1:6.2p2-6ubuntu0.4 0
        500 http://archive.ubuntu.com/ubuntu/ saucy-updates/main amd64 Packages
     1:6.2p2-6ubuntu0.3 0
        500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages

% sshd -v
sshd: illegal option -- v
OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013

谢谢