SSH Agent Forwarding

[andreas-gruenbacher]

Short description of the problem

I'm trying to build a piece of software inside a mock shell, and then deploy the build over the network using rsync / ssh. It would be more efficient and convenient to be able to deploy the build from inside the mock shell. The --enable-network option gets me half-way there already, but in addition, I would need ssh agent forwarding so that ssh has access to the appropriate keys (see 'ssh -A' and the ssh-agent and ssh-add commands).

It would be great to have a --forward-ssh-agent option that forwards the host's ssh agent to the build environment if --enable-network is used.

If --enable-network is not used, --forward-ssh-agent should probably be rejected or ignored to keep things safe.

At the implementation level, ssh agent forwarding consists of a UNIX domain socket file used to talk to the ssh agent, and the SSH_AUTH_SOCK environment variable that contains the name of that socket file. Mock would have to bind mount the socket file into the build environment and set SSH_AUTH_SOCK accordingly.

Commonly used ssh agents are ssh-agent and gnome-keyring-daemon. The ssh utility implements agent forwarding across hosts. With ssh and ssh-agent, SSH_AUTH_SOCK is something like /tmp/ssh-XXXXXXXXXX/agent.YYYYYYY. With gnome-keyring-daemon, the pattern is /run/user/1000/keyring/ssh. To keep things safe, the individual socket file should probably be bind mounted into the build environment, and not its entire containing directory.

[praiskup]

An old commit related to SSH_AUTH_SOCK: 16c0b80

[andreas-gruenbacher]

Hmm, @clrkwllms, given that it doesn't do anything with the socket file, that commit looks a bit weird?