in reply to Re^3: Establishing SSH tunnel and opening another SSH connection through it
in thread Establishing SSH tunnel and opening another SSH connection through it

After editing OpenSSH.pm to not disable publickey and not getting anywhere while being able to run same ssh command manually I got stuck. The problem is public key authentication (key is coming from ssh-agent, NOT the local file) to the gateway host. Here is what happens with one called from perl : 
# call args: ['ssh','-o','CheckHostIP no','-o','HashKnownHosts no','-o
+','StrictHostKeyChecking no','-o','VerifyHostKeyDNS no','-o','UserKno
+wnHostsFile /dev/null','-o','HostbasedAuthentication no','-o','Challe
+ngeResponseAuthentication no','-o','RhostsRSAAuthentication no','-o',
+'GSSAPIAuthentication no','-o','ProxyCommand=ssh -o "PasswordAuthenti
+cation no" -o "GSSAPIAuthentication no" -vvv -k root@192.168.1.1 nc %
+h 22','-o','PasswordAuthentication yes','-o','PubkeyAuthentication ye
+s','-o','ServerAliveInterval=30','-x2MN','-o','NumberOfPasswordPrompt
+s=1','-o','PreferredAuthentications=publickey,keyboard-interactive,pa
+ssword','-S','/root/.libnet-openssh-perl/root-10.20.30.40-16309-99228
+','-l','root','10.20.30.40','--']

[download]
Output from perl: 
debug1: Authentications that can continue: publickey,gssapi-with-mic,p
+assword
debug3: start over, passed a different list publickey,gssapi-with-mic,
+password
debug3: preferred publickey,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).

[download]
And this one is manual : 
ssh -o "CheckHostIP no" -o "HashKnownHosts no" -o "StrictHostKeyChecki
+ng no" -o "VerifyHostKeyDNS no" -o "UserKnownHostsFile /dev/null" -o 
+"PasswordAuthentication yes" -o "PubkeyAuthentication yes" -o "ProxyC
+ommand=ssh -vvv root@192.168.1.1 nc %h 22" -o "ServerAliveInterval=30
+" -x2MN -o "NumberOfPasswordPrompts=1" -o "PreferredAuthentications=p
+ublickey,keyboard-interactive,password" -S /tmp/zzz -l root 10.20.30.
+40

[download]
Output: 
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /HOME/MY_KEY.DSA
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 432

[download]

Replies are listed 'Best First'.
Re^5: Establishing SSH tunnel and opening another SSH connection through it
by salva (Canon) on Feb 09, 2012 at 08:37 UTC
    That happens because requesting password authentication disables the authentication agent.

    The solution is just to not ask for password authentication in the gateway: 

    my $ssh_gw = Net::OpenSSH->new($gw); # no password given, authenticate
                                     # using public key on the gateway

my $proxy_command = $ssh_gw->make_remote_command('nc %h %p');

my $ssh = Net::OpenSSH->new($host,
                            password => $password, # request password 
+authentication
                            master_opts => [-o => "ProxyCommand=$proxy
+_command"]);

    [download]
[reply]
[d/l]
      That was it ! I was pretty sure that ProxyCommand goes by itself, is non-interactive and uses only public key. And whatever is requested in OpenSSH->new() applies to the destination host. Thank you for help
[reply]

In Section Seekers of Perl Wisdom