Simplifying SSH access using an agent

From BNL Physics Computing

Contents


It can be tiresome to type a passphrase to unlock the private key every time you connect. One common way to avoid this is to use an instance of the ssh-agent program to hold the key in memory. After providing a one-time passphrase all invokation of SSH clients will ask the agent for the key.

[edit]

Setting up your account to use an ssh-agent


There are two main ways to do this but both come down to:

  • Start ssh-agent
  • Add give keys to the agent

The differences lay in where and when the agent is created.

A per-shell agent
In this method one agent is created for each shell (or xterm). This can be

useful for people working on a system console but can lead to many ssh-agent's being abandoned and requires one to enter a passphrase for each agent.

A per-xsession agent
In this method, a single agent is started when your X session starts.

Since all subsequent programs spawn from this session, they inherit the agent. The agent can then be killed when the X session ends. This is the prefered method.

[edit]

Per-shell agent

To get an ssh-agent running in your interactive sessions put the following in your appropriate shell setup file:

For tcsh this goes in $HOME/.login: 

  if ( ! $?SSH_AUTH_SOCK ) then
     eval `ssh-agent -c`
     ssh-add
  endif

For bash this goes in HOME/.bash_profile (or similar): 

  if [ -z "$SSH_AUTH_SOCK" ] ; then
     eval `ssh-agent -s`
     ssh-add
  fi

Note:

  • Backticks, not forward quotes enclose the invocation of ssh-agent
  • A -c is needed for tcsh and a -s are needed for bash.

That starts the ssh-agent. To avoid many abandoned agents being left around when you log out you can add the following to ~/.logout for tcsh and to ~/.bash_logout for bash shells: 

 ssh-agent -k
[edit]

Per-xsession agent

To start and stop the ssh-agent with your X session add the following to your ~..Xsession (note: some of the more modern GNU/Linux distributions such as Debian take care of the following for you) 

 #!/bin/sh
 
 # Start the SSH agent which can hold your keys in memory
 eval `ssh-agent -s`
 
 
 # Call ssh-add to add some keys.  Redirecting /dev/null should trigger
 # the use of a graphical password asker (ssh-askpass).  See the man
 # page for ssh-add for more details.  Instead of putting this here,
 # you can instead add this in your Desktop (eg, GNOME/KDE) session
 # startup area or just invoke it once by hand after the session starts.
 
 ssh-add < /dev/null
 
 
 # Here add any other X initialization, like starting some X clients
 # or window manager or desktop.  The below is an example for GNOME.
 
 gnome-session
 
 
 # when reaching here, the desktop/windowmanager has shutdown, so kill
 # off the agent.  Doing the "eval" clears out the environment
 # variables created when the agent was first started.
 
 eval `ssh-agent -k`


[edit]

Forwarding your agent

This is enough to allow the first login to the gateway to proceed without needing a password. SSH has a mechanism to forward your agent to subsequent connections. With this activated you never need to type a password again to connect to any internal SSH servers.

There are several ways to forward your agent:

Command line forwarding
You can forward your agent by mearly adding -A to the invokation of the SSH client.
Local config
You can turn this on in an per-host or per-domain basis by adding entries to ~/.ssh/config on every system where you want to invoke the SSH client. The entries are like: 
 Host *.phy.bnl.gov
 ForwardAgent
System config
The system administrator can place similar lines in /etc/ssh/ssh_config.
Retrieved from "http://www.phy.bnl.gov/computing/index.php/Simplifying_SSH_access_using_an_agent"