Set up ssh-agent: Difference between revisions
m (Clarified reason for having an ssh-agent.) |
m (Bug fix, thanks to mamin@.) |
||
Line 4: | Line 4: | ||
== Creating a cryptographic key pair == | == Creating a cryptographic key pair == | ||
The first step is to generate a pair of cryptographic keys. This step can be skipped if a key pair already exists. | The first step is to generate a pair of cryptographic keys. This step can be skipped if a key pair already exists. <!-- XXX The default key path ~/.ssh/id_rsa is fine XXX Password should be complex, because it's not typed very often --> | ||
$ ssh-keygen | $ ssh-keygen | ||
Generating public/private rsa key pair. | Generating public/private rsa key pair. | ||
Line 15: | Line 15: | ||
<i>ba:f2:7a:78:aa:b0:33:1d:53:de:63:01:62:15:d6:c9 user@host</i> | <i>ba:f2:7a:78:aa:b0:33:1d:53:de:63:01:62:15:d6:c9 user@host</i> | ||
Then, start the ssh-agent, and add the newly generated identity. | Then, start the ssh-agent, and add the newly generated identity. | ||
$ ssh-agent | $ eval `ssh-agent` | ||
$ ssh-add | $ ssh-add | ||
Enter passphrase for .ssh/id_rsa: <b><i>yourverysecretpasswordhere</i></b> | Enter passphrase for .ssh/id_rsa: <b><i>yourverysecretpasswordhere</i></b> | ||
Identity added: .ssh/id_rsa (.ssh/id_rsa) | Identity added: .ssh/id_rsa (.ssh/id_rsa) | ||
== Distribute the public key to the remote system == | == Distribute the public key to the remote system == |
Revision as of 23:59, 3 February 2014
Checking out or updating the PHENIX sources will establish many ssh(1) connections to cci.lbl.gov. While not necessary for a successful installation, having an ssh-agent(1) running on the machine used to access cci.lbl.gov will save much error-prone password-typing.
Creating a cryptographic key pair
The first step is to generate a pair of cryptographic keys. This step can be skipped if a key pair already exists.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): yourverysecretpasswordhere Enter same passphrase again: yourverysecretpasswordhere Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: ba:f2:7a:78:aa:b0:33:1d:53:de:63:01:62:15:d6:c9 user@host
Then, start the ssh-agent, and add the newly generated identity.
$ eval `ssh-agent` $ ssh-add Enter passphrase for .ssh/id_rsa: yourverysecretpasswordhere Identity added: .ssh/id_rsa (.ssh/id_rsa)
Distribute the public key to the remote system
The remote system has to be aware of the key pair to grant access. This means that the public component of the key pair has to be present in ~/.ssh/authorized_keys
on the remote system.
$ cat ~/ssh/id_rsa.pub | ssh remote.system "cat - >> ~/.ssh/authorized_keys"
This will append the public key of the recently created key pair to ~/.ssh/authorized_keys
on the remote system.
Using keychain
An ssh-agent started from command line only affects ssh-connections started from the same shell, and separate ssh-agents would be required for each new login shell. Since ssh-agents are not terminated when the login shell is exited, this has the potential to clutter the system with "orphaned" ssh-agents. keychain is a shell script that was written to avoid this situation: it probes the system for any running ssh-agents, and attempts to use a present agent instead of starting a new process. At CCI and SLAC keychain is installed at ~hattne/gentoo/usr/bin/keychain
(at NERSC it is at /global/project/projectdirs/lcls/gentoo/usr/bin/keychain
).
It is recommended to run keychain from the shell configuration files for interactive, login shells. To do so, bash(1) users can add the following lines to ~/.bash_profile
:
test -x /path/to/keychain && \ eval `/path/to/keychain --agents ssh --eval id_rsa --inherit any-once --stop others`
csh(1) would modify ~/.login
instead.
Using agent forwarding
It is not necessary to start ssh-agents on every system logged in to. If an ssh-agent is running on the host used to access the remote system from, the agent can be forwarded using the ssh(1)’s -A
option to forward the authentication agent when logging in. Note that forwarding the agent connection has security implications.