HOWTO ssh-agent the easy way

From Gentoo Linux Wiki

This article is part of the HOWTO series.

Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc

SSH Basics

OpenSSH
X-forwarding
Using host keys
Passwordless Login
Use ssh-agent for secure passwordless login
Windows with SSH
openssh with keys and S/Key
HOWTO VPN over SSH and tun

Tips & Tricks

Other Gentoo-wiki SSH

edit

It has been suggested that this article or section be merged into HOWTO SSH without a password. (Discuss)

[edit] Introduction

Who needs keychains? :P

After setting up your public and private key as instructed in SSH without a password page, you can follow this guide to make ssh-agent handle your keys, and provide you with passwordless logins in a secure way.

This may not be KDE specific. If anyone knows about a startup folder for gnome or other Window Managers, this will probably work with them as well. This works in KDE 3.5.

[edit] Install askpass

You can install whichever askpass you like; one of "gtk2-ssh-askpass" or "x11-ssh-askpass". As you can guess, gtk2 version has dependencies on various gtk libraries.

Code: Installing one of *-ssh-askpass

 emerge -av net-misc/gtk2-ssh-askpass
 OR
 emerge -av net-misc/x11-ssh-askpass

There is also a KDE4 askpass implementation underway and in fact, you could use the current KDE3 version as well. Check it out on http://www.kde-apps.org/content/show.php?content=50971 . An ebuild is provided on the stormfront overlay http://code.google.com/p/stormfront/ .

Askpass programs show a dialog box asking for the ssh keys' passphrases on behalf of ssh-add.

Note: It is unwise to have keys without passphrases, if someone just copies the keyfile he/she will have access to all accounts that allow that key.

[edit] Xinitrc Way for starting agent

If you want ssh-agent to load when KDE starts and shutdown automatically when kde stops, then just use ssh-agent to spawn KDE...

Note: If you start a process with ssh-agent, ssh-agent will terminate when the process terminates.

Create a .xinitrc file w/ the following:

File: in your .xinitrc:

exec /usr/bin/ssh-agent startkde

[edit] Non-KDE way to add keys to agent

Run ssh-add from a terminal once you've logged in. It will ask for the key's passphrase and add it to agent. That's it.

[edit] KDE Scripts

[edit] To start/stop agent using global configuration

Use the following file to automatically startup ssh-agent.

/usr/kde/KDE_VERSION/env/agent-startup.sh

There is also an auto shutdown file

/usr/kde/KDE_VERSION/shutdown/agent-shutdown.sh

If the two mechanisms above are supported by your version of KDE, and you use them, then the only step you need below is the ssh-add.sh script. Then just uncomment the appropriate lines in the above files.

[edit] To start agent using local configuration ~/.kde/env/ssh-agent.sh

mkdir ~/.kde/env
vim ~/.kde/env/ssh-agent.sh
chmod u+x ~/.kde/env/ssh-agent.sh

The ~/.kde/env/ssh-agent.sh file should contain the following.

NOTE: $HOME will/should evaluate to your home directory. No need to change it.

File: ~/.kde/env/ssh-agent.sh

#!/bin/sh
/usr/bin/ssh-agent -s > $HOME/.ssh/agent-env.sh
. $HOME/.ssh/agent-env.sh > /dev/null

[edit] To stop agent using local configuration ~/.kde/shutdown/shutdown-ssh.sh

Create a kde shutdown script to stop ssh-agent properly at logout, disabling any further access to keys.

mkdir ~/.kde/shutdown
vim ~/.kde/shutdown/shutdown-ssh.sh
chmod u+x ~/.kde/shutdown/shutdown-ssh.sh

The ~/.kde/shutdown/shutdown-ssh.sh file should contain the following...

File: ~/.kde/shutdown/shutdown-ssh.sh

#!/bin/sh
/usr/bin/ssh-agent -k

[edit] To add keys at startup ~/.kde/Autostart/ssh-add.sh

This Step ensures that your keys are added to the agent as soon as you open your session.

mkdir ~/.kde/Autostart
ln -s /usr/bin/ssh-add ~/.kde/Autostart/

[edit] Cronjobs and shell scripts

To use keys in ssh-agent within shell scripts or cron jobs, thus easing logging into remote machines and doing tasks, just source $HOME/.ssh/agent-env.sh with this command:

 . $HOME/.ssh/agent-env.sh > /dev/null

This will import the necessary environmental variables for ssh to connect to the agent. They are initiated by "-s" parameter given to ssh-agent in the ~/.kde/env/ssh-agent.sh defined above. If you use any other way to start ssh-agent, give -s parameter and save the output to $HOME/.ssh/agent-env.sh. If you are using a csh like shell, use -c instead of -s.

[edit] Agent forwarding

Giving "-A" parameter to ssh enables authentication agent forwarding. (Note capital "A") This will enable you to add keys in remote machines to your currently running ssh-agent. Just ssh into remote machine using ssh -A <rest of the command> and run "ssh-add"

To forward ssh agent in every ssh connection, make the following changes to ~/.ssh/config file.

File: ~/.ssh/config

ForwardAgent yes

[edit] Example scenario for agent forwarding

You have two machines A and B.
You are currently working at A and your keys in the ssh-agent enable paswordless login to machines c and d.
Keys in B allow login into e and f.
If you connect from A to B using ssh -A username@B then run ssh-add at B, you can then connect from A to c,d,e and f without passwords

Retrieved from "http://www.gentoo-wiki.com/HOWTO_ssh-agent_the_easy_way"

Category: Articles to be merged