Ssh-agent

ssh-agent acts as a key repository for ssh, enabling ssh to use these key for authentication without asking for a password.

'''Note that using ssh-agent is only safe on system where root is trusted. This applies to authentication-forwarding as well.'''

To use, you will first have to use ssh-keygen to generate at least one keypair. Remember to use a passphrase, as keys without passphrases are very vulnerable. A very short example of how to do this:

$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/esben/.ssh/id_dsa):(press return) Enter passphrase (empty for no passphrase):(enter passphrase) Enter same passphrase again:(repeat passphrase) Your identification has been saved in /home/esben/.ssh/id_dsa. Your public key has been saved in /home/esben/.ssh/id_dsa.pub. The key fingerprint is: 50:14:dc:aa:da:de:aa:d3:d7:84:ab:cc:e6:43:b0:42 esxxn@skxxxxxn.dk

Remember to use a passphrase. Next you must append the newly generated public key into the remote host's user's ~/.ssh/authorized_keys2. E.g.

$ cd $ scp .ssh/id_dsa.pub remote_user@remote_host: $ ssh remote_user@remote_host $ cat id_dsa.pub >> .ssh/authorized_keys2 $ rm id_dsa.pub $ exit

You should now be able to log in to remote_user@remote_host using the passphrase you just entered above instead of your password. Try it:

$ ssh remote_user@remote_host (enter passphrase)

Now you can use ssh-agent. Just running ssh-agent will cause it to spew out some shell commands meant to be executed. To actually make it do anything, you need to use something like

$ eval `ssh-agent`

Note the backticks. You can now load your key into ssh-agent's repository

$ ssh-add (enter passphrase)

You should now be able to ssh to the remote server without entering a password.

It is entirely possible to set up a login script that uses ssh-agent directly. However, it is simpler to use keychain. With keychain installed, all you need to do is add something like this to your ~/.profile or ~/.bashrc:

$ keychain -q --nolock $ source ~/.keychain/`uname -n`-sh >/dev/null

With this setup you will only need to use ssh-add once per reboot. You can then ssh password-less to any host where you have installed your id, in a safe and secure manner.