4

I frequently need to log into a VM that has no direct access to the internet or our source code repo. In the past I have circumvented this with a reverse port forward over ssh but now my problem is that we use Yubikey local hardware tokens and I need to forward the request through my local machine, where I can press the key

In the past, without the Yubikey, this is what I had:

Host bastion
  HostName 129.153.206.108

### The Remote Host
Host sredev1
  HostName 10.0.1.40
  ProxyJump bastion
  RemoteForward 7999 foo.mycorp.com:7999

Then, updating my local git as:

get remote set-url main localhost:7999

which allowed

git pull

However, the situation is more complicated and I need similar functionality; I am not particular on the method but I don't want to have syncing processes in place.

My ssh config at the moment is:

Host oci*.private.devops.scmservice.*.oci.oracleiaas.com
   User cbongior@bmc_operator_access
   IdentityAgent ~/.ssh/scm-agent.sock
   PKCS11Provider /usr/local/lib/libykcs11.dylib


Host fsretoolsint-jh-1
    Hostname 100.92.7.226
    User     jumpuser
    IdentityFile ~/.ssh/jumpuser.pkey

Host sredev2
  Port 22
  IdentityFile ~/.ssh/sredev2.key
  Hostname 10.196.169.56
  ProxyJump  fsretoolsint-jh-1
  RemoteForward 7999 oci.private.devops.scmservice.us-phoenix-1.oci.oracleiaas.com:22

And, for example, in a given repo I have:

git remote -v
origin  ssh://localhost:7999/namespaces/axuxirvibvvo/projects/VERM/repositories/fleetman (fetch)
origin  ssh://localhost:7999/namespaces/axuxirvibvvo/projects/VERM/repositories/fleetman (push)

And locally that same repo is:

origin  ssh://oci.private.devops.scmservice.us-phoenix-1.oci.oracleiaas.com/namespaces/axuxirvibvvo/projects/VERM/repositories/fleetman (fetch)
origin  ssh://oci.private.devops.scmservice.us-phoenix-1.oci.oracleiaas.com/namespaces/axuxirvibvvo/projects/VERM/repositories/fleetman (push)

On my vm this is what I get when I try git pull:

-> % git remote set-url origin ssh://localhost:7999/namespaces/axuxirvibvvo/projects/VERM/repositories/fleetman
cbongior@sredev2 [10:51:44 PM] [~/dev/oracle/fleetman] [main *]
-> % git fetch origin
cbongior@localhost: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Now, I know the local keypair isn't registered - and there is no point. We are setup to use Yubi keys to authenticate and this is where I am stumped.

So, for architectural clarity, the arrangement is:

my laptop with YK -> jump host -> vm

and the tunnel arrangement is:

git server << my laptop << jump host << vm port 7999

I am created a reverse tunnel on the VM directorying traffic on port 7999 to the git server on 22 Question: How can I configure this to forward the ssh request to my local agent?

Improve this question
4
  • 4
    Do you just need to use ForwardAgent? Alternatively: can you use sshfs on your local system? Then mount the directory from the remote system locally and then do git pull locally? Alternative 2: clone the repo locally, tar it, and untar it remotely. Commented Apr 9 at 17:57
  • 1
    You seem to be jumping across two different hosts to get to a git server on a third machine. Is that correct? Commented Apr 14 at 6:40
  • 1
    I wonder what was the point of asking a question and starting a bounty if you don’t reply to comments and answers of people who are trying to help you… Commented Apr 24 at 7:46
  • I didn't realize anyone had replied. And, no one took the bounty Commented Apr 30 at 21:42

1 Answer 1

Reset to default
0

As suggested by muru in his comment, it looks like you could use SSH agent forwarding for this. Your .ssh/config would have to look like

Host sredev2
  …
  ForwardAgent ~/.ssh/scm-agent.sock
  PKCS11Provider /usr/local/lib/libykcs11.dylib

Note that you should only do this if you trust that VM.

Another way (which looks much more complicated without being safer) would be to configure the VM to connect to the git server by chaining SSH connections (not with ProxyJump but with something like ssh foo ssh bar which is generally bad practice).

You could do this is git by setting GIT_SSH_COMMAND="ssh local_machine ssh". If, as I guess, your VM cannot connect back to your local machine, you can do it through RemoteForward with

Host sredev2
  …
  RemoteForward 2222 localhost:22

And on your VM

Host local_machine
  Hostname localhost
  Port 2222

Then you need to have sshd running on your local machine, and some way for your user in the VM to authenticate on your local machine.

Improve this answer
2
  • I have no capacity to configure the VM. Client side solutions only Commented May 2 at 0:43
  • When I try this, I get: ``` Cannot forward agent socket path "/Users/cbongior/.ssh/scm-agent.sock": No such file or directory Received disconnect from UNKNOWN port 65535:2: Too many authentication failures Disconnected from UNKNOWN port 65535 ``` Commented May 2 at 0:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.