Welcome to Deadman.org.

Creative Commons License

SSH-Agent 1.2.27 Tutorial at Deadman.org

Security is best when it is handy. ssh-agent is pretty darn handy. Ssh-agent can authenticate you to a remote machine via keypairs, rather than the traditional hand-typed username/password combination, with no loss of security.

In this tutorial, I hope to teach you how to use ssh-agent to automate logging in to your machines securely via the X Windowing System. One thing to note about this tutorial, my intention isn't to give you the nuts and bolts of ssh or ssh-agent, but rather to give you a quick-and-dirty method to get more secure. I do, however, encourage you to look for other online documentation to learn about the ways that ssh works and the things that are going on behind the scenes in this tutorial. This tutorial also assumes you have some knowledge of X11 and how to start your window-manager/desktop-environment of choice. The machine that I use is running RedHat 6.2 and ssh 1.2.27, but this tutorial should work across platforms.

The first step in using ssh-agent is to generate your private and public keys. The private key will have a pass-phrase that allows ssh-agent to decrypt it and keep the decrypted key in memory. Pass-phrases should and can be much longer than conventional passwords. At the command prompt, simply run:

Initializing random number generator...
Generating p: .........++ (distance 110)
Generating q: ..............++ (distance 268)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
Your public key is:
1024 35 1449869909427600207234232665204900947[*snip*]
Your public key has been saved in /home/user/.ssh/identity.pub

If you haven't already, the next step is to use ssh to connect to the remote machine and from there connect back to your local machine. This will create the $HOME/.ssh directory on the remote machine, as well as creating some files in that directory. Once that directory has been created, you can log out of the remote machine. Now you'll want to copy your public key to that remote machine, however it will need to exist as a different file name on the remote machine:
#>scp .ssh/identity.pub remoteuser@remotemachine:.ssh/authorized_keys


#>ssh remoteuser@remotehost 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/identity.pub

It's important to note that this file [~/.ssh/authrorized_keys] can contain many keys and that you don't want to overwrite it every time you setup 'agent on a new machine. The second method for transferring your public key, mentioned above, will not overwrite the file. One of the gotcha's of this process is the permissions on both the ~.ssh directory and the ~/.ssh/authorized_keys file. Both of these should only be writeable by the owner and not the group or other.

Now comes the fun part. I run RedHat in runlevel 3 and start X11 from the command line, so in these examples, I'll be working with the file ~/.xinitrc. If you are in runlevel 5 (where you boot into X11 directly) you'll need to work with ~/.xsession or ~/.Xclients instead. Here is my ~/.xinitrc:

# Window Maker default X session startup script

xscreensaver -no-splash &
gkrellm &
#exec ssh-agent sh -c 'ssh-add > /dev/null & exec wmaker'
exec ssh-agent sh -c 'ssh-add > /dev/null & sleep 5 ; exec gnome-session'

The last line starts gnome-session under ssh-agent, so now 'agent will be able to talk with all of the shells you open in X. Obviously you can change gnome-session to startkde or whatever you like.

Once you start X11, you'll be prompted, by ssh-agent, for your pass-phrase. Ssh-agent will keep this pass-phrase in memory and use it to authenticate to hosts that have your public-key. This means that you can open xterms/eterms/wterms/aterms/rxvts and connect to remote machines seamlessly. I have GNOME-launchers for most of my shells that look similar to this:

wterm -tr -sh -fg white -sb -st -wm -font 9x15 -e slogin user@remote.box.com

I'm able to open these w/o entering a password, as if they are shells on my local machine.

Send comments to Sam Rowe, deadman at deadman dot org.

Paul Keck is a helluva guy. He also wrote a helluva SSH2 Agent/Keys tutorial you should check out.

© 2009 Sam Rowe. Some rights reserved.