Some years ago, I first encountered ssh and its passphrases. All very good and secure, but it rapidly becomes difficult, not to say frustrating, when you are frequently logging in to multiple boxes with the same key. You want passphrase protection of your key, but you don’t want to wear out your keyboard or your patience.
The solution is simple. It’s the under-used (in my experience) ssh-agent. Essentially, you crank up ssh-agent inside your shell, add your passphrases for your keys, and away you go. The trick in the first place is to start-up ssh-agent inside an eval, ie. with backticks, to capture it’s output, ie.
[richard@somehost richard]$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-lwy32315/agent.32315; export SSH_AUTH_SOCK; SSH_AGENT_PID=32318; export SSH_AGENT_PID; echo Agent pid 32318;
So, run ssh-agent as follows:
[richard@somehost richard]$ eval `ssh-agent` Agent pid 32509
Those unfortunate enough to be using csh derived shells will need a ‘-c’ option to spit out setenv. The truly paranoid may want to add a ‘-t
So, once you have ssh-agent running, add your keys:
[richard@somehost richard]$ ssh-add Enter passphrase for /home/richard/.ssh/id_dsa: ***** Identity added: /home/richard/.ssh/id_dsa (/home/richard/.ssh/id_dsa)
Then ssh away to your boxes where that key is trusted! When you’re done, if you’re a well behaved user (hoho) run the following to kill it off nicely:
[richard@somehost richard]$ eval `ssh-agent -k` Agent pid 32509 killed
Note that the socket is protected in a directory that is owned by the user, so it’s impossible - unless somebody is messing about with permissions - to attach to a socket associated with another user on that box.
Entries (RSS)
November 25th, 2005 at 6:31 pm
Google “keychain”. Makes ssh-agent easier to use.