Step 4.5 How to use OpenSSH Passphrase Agents
Problem: Using public key authentication makes logging in to a server with SSH more secure, but less convenient due to having to type in a longer and more complex passphrase.
Action 4 5 1 Use ssh agent and ssh add to store your private keys in memory
To make public key authentication more convenient to use, the OpenSSH developers created the ssh-agent and ssh-add programs. These programs are designed to keep your private keys decrypted in memory for your current session. With ssh-agent, you will not need to type a passphrase when connecting to a remote system, since the private key resides in memory.
While this makes using public key authentication more convenient, it should be noted that it does pose a small security risk as your private key is sitting in memory decrypted. If a rogue program were able to read that portion of memory, it would be able to use the private key and log in to the remote server using your credentials.
ssh-agent can be run in one of two ways. The first way is to enter eval ˜ssh-agent at the command line, which runs ssh-agent in the background and sets two environment variables for its use, SSH_AUTH_SOCK and SSH_AGENT_PID.
[sshuser@server.example.com]$ eval 'ssh-agent' Agent pid 19401 [sshuser@server.example.com]$ echo $SSH_AGENT_PID 19401 [sshuser@server.example.com]$ echo $SSH_AUTH_SOCK /tmp/ssh-XXZCgt5e/agent.19401 [sshuser@server.example.com]$
The second way to run ssh-agent is to supply a program name - typically a shell “ as a command line option. When you run ssh-agent this way, that program will be run with SSH_AUTH_SOCK and SSH_AGENT_PID already set.
[sshuser@server.example.com]$ ssh-agent /bin/bash [sshuser@server.example.com]$ echo $SSH_AGENT_PID 1272 [sshuser@server.example.com]$ echo $SSH_AUTH_SOCK /tmp/ssh-XXZCgt5e/agent.1271 [sshuser@server.example.com]$
- Once ssh-agent has started up successfully, you need to add the private keys into memory. This is done using the ssh-add program as follows :
[sshuser@server.example.com]$ ssh-add Enter passphrase for /home/sshuser/.ssh/id_rsa: Identity added: /home/sshuser/.ssh/id_rsa (/home/sshuser/.ssh/id_rsa) [sshuser@server.example.com]$
When given no arguments, the ssh-add program looks for the files .ssh/id_rsa , .ssh/id_dsa and .ssh/identity in the home directory of the user and adds the private keys in these files into memory.
Alternatively, ssh-add accepts a filename as an argument. The filename specified is expected to contain the private-keys which ssh-add will load into memory.
If a private key requires a passphrase to decrypt it, ssh-add will prompt the user for the passphrase. If the passphrase is entered correctly, the private key will be stored in memory.
Action 4 5 2 Verify the private keys are in memory
Once the private keys have been loaded into memory, it may be helpful to verify that they are really there. This can be done using the “l option. This option will display all private keys that are currently in memory:
[sshuser@server.example.com]$ ssh-add -l 1024 5b:62:e3:14:80:72:e0:58:03:36:29:52:29:90:a9:04 /home/sshuser/.ssh/id_rsa (RSA) [sshuser@server.example.com]$
Action 4 5 3 Using ssh agent to automatically log in to a remote machine
Now that the private keys are loaded into memory, subsequent SSH authentications will be handled automatically by ssh-agent, assuming the correct keys have been loaded. ssh-agent will perform the authentication proxy for any OpenSSH program, including scp and sftp.
In the following example, sshuser is attempting to create an SSH session to remote host server.example.com from client.example.com . Public key authentication is used and normally sshuser would have to enter the passphrase associated with the private key to authenticate, but since ssh-agent has the private key decrypted and loaded into memory, sshuser is not prompted for authentication:
[sshuser@client.example.com]$ ssh server.example.com [sshuser@server.example.com]$
Action 4 5 4 Removing private keys from memory
The ssh-add program can accept the “d or “D options to remove private keys from memory. The “D option will cause ALL private keys currently in memory to be removed. The “d option has the same effect if no arguments are supplied to it. However, if a filename associated with a private key in memory is provided with the -d option, only that private key will be removed from memory.
Action 4 5 5 Shutting down ssh agent
SSH-agent can be shut down via a number of ways, depending on how it was started up.
If ssh-agent was started using eval ˜ssh-agent , it should be shut down using eval with the “k option as shown below:
[sshuser@server.example.com]$ eval
Категории