Bug 4436 - Support for SSH agent forwarding
Summary: Support for SSH agent forwarding
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: 3.4.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-17 13:53 CEST by Peter Åstrand
Modified: 2023-09-07 11:05 CEST (History)
4 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Peter Åstrand cendio 2012-10-17 14:06:31 CEST 
In principle, one should be able to activate agent forwarding by creating a ~/.thinlinc/config with:

Host *
    ForwardAgent yes

This does not work, though, because tlclient clears out SSH_AUTH_SOCK when not using smart cards.
Comment 2 Pierre Ossman cendio 2013-02-22 12:14:58 CET 
The normal SSH client has an option "-A" that enables forwarding of the
authentication agent connection. Ie, if you have an ssh-agent and a suitable
environment variable SSH_AUTH_SOCK, the remote sshd will create a tunnel to it,
and setup a suitable SSH_AUTH_SOCK in the remote session.

One customer uses this approach for their customers: They have an ssh-agent on the client, and then uses agent forwarding to all hosts. They asked if this could be used with ThinLinc. I've done a quick check and I believe it is possible to setup a soltuion like this. We would need to add -A to the ssh command line (or use a config file). Then, the main problem is that the SSH_AUTH_SOCK environment variable is not available in the TL session; only in the SSH one. Typically, you can work around this by executing:

export SSH_AUTH_SOCK=`echo /tmp/ssh-*/agent.*`

This works if this particular user has only one agent socket on this server. 

A better solution would be to use a "fixed" name tied to the session number.
thinlinc-login (which can see SSH_AUTH_SOCK) can then adjust the symbolic link
accordingly.
Comment 4 Pierre Ossman cendio 2018-12-07 13:41:18 CET 
Other issues to think about:

 * Should we forward the key used by the ThinLinc client? Or the smart card?

 * What if the user wants to run an agent inside the session as well?
Comment 5 Pierre Ossman cendio 2018-12-07 13:49:00 CET 
GNOME likes to start its own SSH agent. See info here:

https://wiki.archlinux.org/index.php/GNOME/Keyring
Comment 8 Pierre Ossman cendio 2022-07-05 10:15:49 CEST 
Note that OpenSSH has added some security improvements to the forwarding:

https://www.openssh.com/agent-restrict.html
Comment 9 Aaron Sowry cendio 2023-09-07 10:45:23 CEST 
Another benefit of this would be the ability to use GPG sub-keys to authenticate with ThinLinc via gpg-agent. gpg-agent supports ssh-agent emulation, so in theory we should get this feature "on the house".

Extracting a GPG sub-key in SSH format is non-trivial these days, so those who use gpg-agent for SSH authentication will have a hard time using the same key with ThinLinc.
Comment 10 Aaron Sowry cendio 2023-09-07 11:05:29 CEST 
(In reply to Aaron Sowry from comment #9)
> Another benefit of this would be the ability to use GPG sub-keys to
> authenticate with ThinLinc via gpg-agent. gpg-agent supports ssh-agent
> emulation, so in theory we should get this feature "on the house".
> 
> Extracting a GPG sub-key in SSH format is non-trivial these days, so those
> who use gpg-agent for SSH authentication will have a hard time using the
> same key with ThinLinc.

This is more relevant to bug #4534
Note You need to log in before you can comment on or make changes to this bug.