30/03/15 20:22Using ssh-agent with ssh

Página 1 de 4http://mah.everybody.org/docs/ssh

top::docs

Using ssh-agent with sshby Mark A. Hershberger (weblog)

Over ten years ago (that would be back in 2002 as of this writing), I went searching for agood, general page that would explain how to do passwordless logins using ssh-agent anddidn't find much at the time (now there is much more out there). So I wrote this page.

GoalsGet a secure, encrypted connection from your machine (local) to a remote machine(remote) without typing in a password.

Executive Summary1. Create a key pair on the local machine.2. Put the public key on any remote machines.3. Run ssh-agent to cache login credentials for the session. ssh-agent requires the user

to "unlock" the private key first.

Related Pages on this site1. Alternate agent startup scripts -- Working with KDE, Cygwin, or csh-derived shell?

Some scripts to help2. Troubleshooting -- Can't connect? Here's some ideas to help you troubleshoot the

problem.3. Automatic ssh -- Daemons, long-lived processes and ssh.

MethodsUse OpenSSH to handle the authentication.

For Windows users, the methods I describe here will work with the OpenSSH that is part ofthe CygWin toolset.

Anyway, here is how to set up a pair of keys for passwordless authentication via ssh-agent.

1. Generate the keys. Do this on the host that you want to connect from — your local computer. Do notdo this over the internet

Note: Older versions of OpenSSH (1.2.xx) and, perhaps, commercial SSH may require that you haveto use RSA keys. In this case substitute "RSA" for "DSA" after "-t" and "identity" for "id_dsa". Continueto substitute "RSA" where you see "DSA" throughout. Everything else should be the same.

Also Note: On Windows machines, the command prompt doesn't understand the ~ which on Unixmachines means "the home directory". Instead use %HOME% wherever you see the tilde.

you@local$ ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "you@example.com"Generating DSA keys: Key generation complete.Enter passphrase (empty for no passphrase): USE-A-PASSPHRASEEnter same passphrase again: USE-A-PASSPHRASEYour identification has been saved in ~/.ssh/id_dsa

RemoteAccess toMacOSFull Access toYour MacOSDesktopWherever YouAre.

30/03/15 20:22Using ssh-agent with ssh

Página 2 de 4http://mah.everybody.org/docs/ssh

Your public key is:1024 35 [really long string] you@example.comYour public key has been saved in ~/.ssh/id_dsa.pubyou@local$

2. To use the key on other hosts you will be connecting from, copy the ~/.ssh/id_dsa key to the otherhosts:

you@local$ scp ~/.ssh/id_dsa you@another-box:.ssh/

However, it is probably better just to generate new keys for those hosts.3. Make sure the public key is in the ~/.ssh/authorized_keys file on the hosts you wish to connect to.

You can use a password authenticated connection to do this:

you@local$ cat ~/.ssh/id_dsa.pub | ssh you@remote 'cat - >> ~/.ssh/authorized_keys'you@remote's password:you@local$

Note: If an older version of ssh is running on the remote host, you may have to use the~/.ssh/authorized_keys2 file.

Note: If your local machine is Windows, try

C:\> type %HOME%/.ssh/id_dsa.pub | ssh you@other-host "cat - >> ~/.ssh/authorized_keys"you@other-host's password:C:\>

Also note: If the remote server is Windows, you will probably want to use type instead of cat for thesecond half of your command.

4. Verify that DSA authentication works:

you@local$ ssh you@remoteEnter passphrase for DSA key 'you@example.com': ^D$

If you don't get the prompt for your DSA key, then something has gone wrong. (One thing to check:verify that sshd_config on the server has been configured to do DSA authentication. Look forDSAAuthentication yes or get your system administrator to add it if necessary.)

Now that that works, you will want the passwordless part, right?

1. Start up ssh-agent. You can have it create a subprocess which inherits the SSH_AUTH_SOCK environmentvariable, or you can run it as a daemon.

Since I run gdm on Debian, ssh-agent is started automatically when I log in. If you don't have thisbenefit, you can get it by putting the following line at the end of your .xsession file (You can substituteyour window manager for gnome-session if that is what you use):

ssh-agent gnome-session

Which basically means that ssh-agent starts up, creates a socket, sets up a couple of environmentvariables and then starts up gnome-session. That way all of the programs run in Gnome have accessto the agent.

The above solution is the best one if you are logging in via GDM or another graphical login managerunder *nix. However, if you login at the console, or want to use ssh-agent under Cygwin, you'll have touse one of the following solutions.

30/03/15 20:22Using ssh-agent with ssh

Página 3 de 4http://mah.everybody.org/docs/ssh

If you want to, say, put it in your .profile, then you might try the following setup. Kyle Amon hasprovided the following bit for a .bash_profile:

## setup ssh-agent#

# set environment variables if user's agent already existsSSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2> /dev/null | grep $(whoami) | awk '{print $9}')SSH_AGENT_PID=$(echo $SSH_AUTH_SOCK | cut -d. -f2)[ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK[ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID

# start agent if necessaryif [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then # if no agent & not in ssh eval `ssh-agent -s` > /dev/nullfi

# setup addition of keys when neededif [ -z "$SSH_TTY" ] ; then # if not using ssh ssh-add -l > /dev/null # check for keys if [ $? -ne 0 ] ; then alias ssh='ssh-add -l > /dev/null || ssh-add && unalias ssh ; ssh' if [ -f "/usr/lib/ssh/x11-ssh-askpass" ] ; then SSH_ASKPASS="/usr/lib/ssh/x11-ssh-askpass" ; export SSH_ASKPASS fi fifi

(If you use csh or tcsh, see this note for the equivilent piece of code for your .login shell.)

This brings SSH_AUTH_SOCK and SSH_AGENT_PID as environment variables into the current shell.

The trap should kill off any remaining ssh-agent process. If it doesn't, you won't want the ssh-agentdaemons sitting around, so you might want the following in your .logout:

kill $SSH_AGENT_PID

An alternative, provided by John Buttery, is

if [ ${SSH_AGENT_PID+1} == 1 ]; then ssh-add -D ssh-agent -k > /dev/null 2>&1 unset SSH_AGENT_PID unset SSH_AUTH_SOCKfi

Finally, this solution from Joseph M. Reagle by way of Daniel Starin:

SSH_ENV="$HOME/.ssh/environment"

function start_agent { echo "Initialising new SSH agent..." /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}" echo succeeded chmod 600 "${SSH_ENV}" . "${SSH_ENV}" > /dev/null /usr/bin/ssh-add;}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then

30/03/15 20:22Using ssh-agent with ssh

Página 4 de 4http://mah.everybody.org/docs/ssh

. "${SSH_ENV}" > /dev/null #ps ${SSH_AGENT_PID} doesn't work under cywgin ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || { start_agent; }else start_agent;fi

This last version is especially nice since it will see if you've already started ssh-agent and, if it can'tfind it, will start it up and store the settings so that they'll be usable the next time you start up a shell.

(Update 25 Sep 2007: Adam Piper pointed out that quoting anything that uses $HOME is necessaryon Cygwin.)

2. Finally, time to type a password. The last one of this session, maybe.

you#local$ ssh-add ~/.ssh/id_dsaNeed passphrase for /home/mah/.ssh/id_dsa (you@example.com).Enter passphrase:you#local$

3. Now, you should test it:

you#local$ ssh you@remoteLast login: Tue Apr 25 13:40:21 1492 from europe.comSun Microsystems Inc. SunOS 5.7 Generic October 1998No mail.[you@remote]$

Jubilation! It worked! Go forth and conquer! (If it doesn't work, try chmod -R go-rw ~/.ssh on the serverand try again.)

Ok, so, did it work or no? Let me know.

If you want to use this setup for editing remote files in emacs under Windows, check out my Tramp-on-NTpage.

If you want to understand a little bit more about how all this works, read An Illustrated Guide to SSH AgentForwarding.

mah@everybody.orgLast Modified: 2015-Feb-28 11:49