Ssh-agent

From LQWiki
Jump to navigation Jump to search

ssh-agent acts as a key repository for ssh, enabling ssh to use these key for authentication without asking for a password.

Note that using ssh-agent is only safe on system where root is trusted. This applies to authentication-forwarding as well.

To use, you will first have to use ssh-keygen to generate at least one keypair. Remember to use a passphrase, as keys without passphrases are very vulnerable. A very short example of how to do this:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/esben/.ssh/id_dsa):(press return)
Enter passphrase (empty for no passphrase):(enter passphrase)
Enter same passphrase again:(repeat passphrase)
Your identification has been saved in /home/esben/.ssh/id_dsa.
Your public key has been saved in /home/esben/.ssh/id_dsa.pub.
The key fingerprint is:
50:14:dc:aa:da:de:aa:d3:d7:84:ab:cc:e6:43:b0:42 esxxn@skxxxxxn.dk

Remember to use a passphrase. Next you must append the newly generated public key into the remote host's user's ~/.ssh/authorized_keys2. E.g.

$ cd
$ scp .ssh/id_dsa.pub remote_user@remote_host:
$ ssh remote_user@remote_host
$ cat id_dsa.pub >> .ssh/authorized_keys2
$ rm id_dsa.pub
$ exit

You should now be able to log in to remote_user@remote_host using the passphrase you just entered above instead of your password. Try it:

$ ssh remote_user@remote_host
(enter passphrase)

Now you can use ssh-agent. Just running ssh-agent will cause it to spew out some shell commands meant to be executed. To actually make it do anything, you need to use something like

$ eval `ssh-agent`

Note the backticks. You can now load your key into ssh-agent's repository

$ ssh-add
(enter passphrase)

You should now be able to ssh to the remote server without entering a password.

It is entirely possible to set up a login script that uses ssh-agent directly. However, it is simpler to use keychain [1]. With keychain installed, all you need to do is add something like this to your ~/.profile or ~/.bashrc:

$ keychain -q --nolock
$ source ~/.keychain/`uname -n`-sh >/dev/null

With this setup you will only need to use ssh-add once per reboot. You can then ssh password-less to any host where you have installed your id, in a safe and secure manner.

External Links