Start a new topic

SSH-Agent for SecureGateway

Hello together,


many colleagues asked me, if it's possible to use an ssh-agent for secure-gateway authentification (e.g. Pageant). Now it look's like that didn't work..


Is it planned to implement a feature like this in further versions?


Greetings

Frank


3 people like this idea

yes, i just tested it, this seems to be working! Thx!


when can we expect this to be officially released?



Great to hear that. Maybe this or next week a new release will be published.

great news, thanks again

Thanks Stefan and your colleagues.

Secure gateway works now with Pageant.


I only have a little side effect:

If I connect via a secure gateway, it makes the tunnel to the destination.

This creates a random source port on the gateway, if I understand correctly.

After that it connects to the destination machine to the ssh port.


So, everytime I connect via secure gateway, I receive the message, that the host key is not cached.

I [Accept] the key from 127.0.0.1 (port <RANDOM>), which put the key to the cache, but after another logon it asks again.


How can this be prevented?


image


image


I think you should be able to prevent this dialog by putting storing Fingerprint and enable the Use Hostkey option in the PuTTY connection configuration:

https://docs.royalapps.com/r2023/royalts/reference/connections/terminal-putty.html#use-hostkey


Let me know if this helps.


Regards,
Stefan

Hi Stefan,


this helped a bit, but "Use host key > Fingerprint" only supports MD5 fingerprint entries.


But the response from the destination host sshd via secure gateway tunnel is ssh-rsa SHA256.


So, getting the MD5 fingerprint from a machine only reachable behind a tunnel is not easy imho.


I was hopping manually and used the way from https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se to find out the MD5 fingerprint, but this is a pain, if I should do this for all machines before I can use them via gateway.


Isn't there a way to automatically put such a fingerprint to the machine's "Advanced > SSH Settings > General: Use host key > Fingerprint" entry (with support for modern hashed fingerprints and not only MD5)?


If I connect to a new secure gateway for example it also puts the MD5 fingerprint automatically to the "Advanced > Security > General : Fingerprint" entry.

Since you are using the PuTTY plugin theres not much we can do. When you use the Rebex plugin we can do more in this regard. Sorry to be the bearer of bad news.

 Hi Stefan,

I tried Rebex terminal plugin for the destination host connection using the same (rebex based) Secure Gateway with enabled Pageant Auth. Agent.

It shows me a responded ssh-dss fingerprint from the destination host, which can be written in the connection object. So far, so good.`


image


But after that, it asks for a SSH Auth. Request and asks for credentials.


image


I already also configured the Pageant Auth. Agent in the host connection object, but this does not seem to work.


image



If I connect to the gateway host using rebex plugin with Pageant and then connect to the destination host via ssh, this works without an additionally authentication.



What is the issue now ?O.o?

Not sure what's going on but I suggest you enable verbose logging to see the communication/flow of the ssh connection.

Hmm, another issue seems, that rebex has no option to forward X11, which definitely is needed for our business.


So, I think, I still have to go with PuTTY plugin and need to determine all MD5 fingerprints of the hosts.


But thanks anyway.

That's true, X11 forwarding is only available using PuTTY.

Login or Signup to post a comment