Welcome to Deadman.org.
Security is best when it is handy. ssh-agent is pretty darn handy. Ssh-agent can authenticate you to a remote machine via keypairs, rather than the traditional hand-typed username/password combination, with no loss of security.
In this tutorial, I hope to teach you how to use ssh-agent to automate logging in to your machines securely via the X Windowing System. One thing to note about this tutorial, my intention isn't to give you the nuts and bolts of ssh or ssh-agent, but rather to give you a quick-and-dirty method to get more secure. I do, however, encourage you to look for other online documentation to learn about the ways that ssh works and the things that are going on behind the scenes in this tutorial. This tutorial also assumes you have some knowledge of X11 and how to start your window-manager/desktop-environment of choice. The machine that I use is running RedHat 6.2 and ssh 1.2.27, but this tutorial should work across platforms.
The first step in using ssh-agent is to generate your private
and public keys. The private key will have a pass-phrase that
allows ssh-agent to decrypt it and keep the decrypted key in
memory. Pass-phrases should and can be much longer than conventional
passwords. At the command prompt, simply run:
Initializing random number generator...
Generating p: .........++ (distance 110)
Generating q: ..............++ (distance 268)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
Your public key is:
1024 35 1449869909427600207234232665204900947[*snip*]
Your public key has been saved in /home/user/.ssh/identity.pub
If you haven't already, the next step is to use ssh to connect to
the remote machine and from there connect back to your
local machine. This will create the $HOME/.ssh directory on the remote
machine, as well as creating some files in that directory. Once that
directory has been created, you can log out of the remote machine. Now
you'll want to copy your public key to that remote machine, however
it will need to exist as a different file name on the remote machine:
#>scp .ssh/identity.pub [email protected]:.ssh/authorized_keys
#>ssh [email protected] 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/identity.pub
It's important to note that this file [~/.ssh/authrorized_keys] can contain many keys and that you don't want to overwrite it every time you setup 'agent on a new machine. The second method for transferring your public key, mentioned above, will not overwrite the file. One of the gotcha's of this process is the permissions on both the ~.ssh directory and the ~/.ssh/authorized_keys file. Both of these should only be writeable by the owner and not the group or other.
Now comes the fun part. I run RedHat in runlevel 3 and start X11
from the command line, so in these examples, I'll be working with
the file ~/.xinitrc. If you are in runlevel 5 (where you boot into
X11 directly) you'll need to work with ~/.xsession or ~/.Xclients
instead. Here is my ~/.xinitrc:
# Window Maker default X session startup script PATH="$PATH:/usr/local/bin" xscreensaver -no-splash & gkrellm & #exec ssh-agent sh -c 'ssh-add > /dev/null & exec wmaker' exec ssh-agent sh -c 'ssh-add > /dev/null & sleep 5 ; exec gnome-session'
The last line starts gnome-session under ssh-agent, so now 'agent will be able to talk with all of the shells you open in X. Obviously you can change gnome-session to startkde or whatever you like.
Once you start X11, you'll be prompted, by ssh-agent, for your
pass-phrase. Ssh-agent will keep this pass-phrase in memory and use
it to authenticate to hosts that have your public-key. This means
that you can open xterms/eterms/wterms/aterms/rxvts and connect to
remote machines seamlessly. I have GNOME-launchers for most of my
shells that look similar to this:
wterm -tr -sh -fg white -sb -st -wm -font 9x15 -e slogin [email protected]
I'm able to open these w/o entering a password, as if they are shells on my local machine.
Send comments to Sam Rowe, deadman at deadman dot org.
Paul Keck is a helluva guy. He also wrote a helluva SSH2 Agent/Keys tutorial you should check out.