In principle, one should be able to activate agent forwarding by creating a ~/.thinlinc/config with:
This does not work, though, because tlclient clears out SSH_AUTH_SOCK when not using smart cards.
The normal SSH client has an option "-A" that enables forwarding of the
authentication agent connection. Ie, if you have an ssh-agent and a suitable
environment variable SSH_AUTH_SOCK, the remote sshd will create a tunnel to it,
and setup a suitable SSH_AUTH_SOCK in the remote session.
One customer uses this approach for their customers: They have an ssh-agent on the client, and then uses agent forwarding to all hosts. They asked if this could be used with ThinLinc. I've done a quick check and I believe it is possible to setup a soltuion like this. We would need to add -A to the ssh command line (or use a config file). Then, the main problem is that the SSH_AUTH_SOCK environment variable is not available in the TL session; only in the SSH one. Typically, you can work around this by executing:
export SSH_AUTH_SOCK=`echo /tmp/ssh-*/agent.*`
This works if this particular user has only one agent socket on this server.
A better solution would be to use a "fixed" name tied to the session number.
thinlinc-login (which can see SSH_AUTH_SOCK) can then adjust the symbolic link
Other issues to think about:
* Should we forward the key used by the ThinLinc client? Or the smart card?
* What if the user wants to run an agent inside the session as well?
GNOME likes to start its own SSH agent. See info here:
Note that OpenSSH has added some security improvements to the forwarding:
Another benefit of this would be the ability to use GPG sub-keys to authenticate with ThinLinc via gpg-agent. gpg-agent supports ssh-agent emulation, so in theory we should get this feature "on the house".
Extracting a GPG sub-key in SSH format is non-trivial these days, so those who use gpg-agent for SSH authentication will have a hard time using the same key with ThinLinc.
(In reply to Aaron Sowry from comment #9)
> Another benefit of this would be the ability to use GPG sub-keys to
> authenticate with ThinLinc via gpg-agent. gpg-agent supports ssh-agent
> emulation, so in theory we should get this feature "on the house".
> Extracting a GPG sub-key in SSH format is non-trivial these days, so those
> who use gpg-agent for SSH authentication will have a hard time using the
> same key with ThinLinc.
This is more relevant to bug #4534