[ale] automating ssh script
Keith Hopkins
hne at hopnet.net
Mon Jul 29 17:56:39 EDT 2002
Michael Hirsch wrote:
> On Mon, 2002-07-29 at 07:56, Keith Hopkins wrote:
>
>>Hey Drew, (take 2!)
>>
>> This seems like a no-brainer to me. Just to confirm that, I tried it myself,
>>and it worked (no passphrase prompt, no password prompt.)
>>
>> First question...when you are generating the keys (type 1 or 2), what are you
>>entering for the "Enter passphrase" prompts? You should hit Enter
>>twice without typing anything. Anything you type here will be
>>prompted for at login.
>
>
> This is a bad idea. What he is trying to do is to enable typing in the
> passphrase once wen running ssh-agent, then not needing to run it again.
Why is it a bad idea? Your private key is like a real key, it will open the door that it fits. It is safe (without a passphrase) as long as you don't give it away. Also like a real key, it can be lost or stolen, and this is where a passphrase can give you some added protection. What I don't know, and maybe someone can enlighten me....if someone hacks my system and steals my private key, and steals all the ssh-agent information, will that not also give them the same capability as if they had the passphrase?
I'm not understanding what you mean by "not needing to run it again"....it seems you always have to have ssh-agent running.
>
> I think Ed's solution is the correct one.
>
Ok, here's an example of using ssh-agent to keep your passphrase.... (NOTE: ssh-add didn't work right in OpenSSH 2.9.x. My example is OpenSSH 3.3)
(This time, enter some value for the passphrase prompts)
jimbo at athena:~> ssh -version
OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
Bad escape character 'rsion'.
jimbo at athena:~> rm -rf .ssh/
jimbo at athena:~> ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/jimbo/.ssh/id_dsa):
Created directory '/home/jimbo/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jimbo/.ssh/id_dsa.
Your public key has been saved in /home/jimbo/.ssh/id_dsa.pub.
The key fingerprint is:
dd:66:...................................... jimbo at athena
jimbo at athena:~> ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
SSH_AGENT_PID=31741; export SSH_AGENT_PID;
echo Agent pid 31741;
jimbo at athena:~> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
jimbo at athena:~> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
jimbo at athena:~> echo Agent pid 31741;
Agent pid 31741
jimbo at athena:~> ssh-add
Enter passphrase for /home/jimbo/.ssh/id_dsa:
Identity added: /home/jimbo/.ssh/id_dsa (/home/jimbo/.ssh/id_dsa)
jimbo at athena:~> ssh slacker at apollo
The authenticity of host 'apollo (10.1.1.20)' can't be established.
RSA key fingerprint is bb:f7:..............................
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'apollo,10.1.1.20' (RSA) to the list of known hosts.
slacker at apollo's password:
Last login: Tue Jul 30 06:16:12 2002 from hera
Have a lot of fun...
slacker at apollo:~> exit
logout
Connection to apollo closed.
jimbo at athena:~> ssh slacker at apollo
slacker at apollo's password:
Last login: Tue Jul 30 06:22:11 2002 from athena
Have a lot of fun...
slacker at apollo:~> exit
logout
Connection to apollo closed.
jimbo at athena:~> scp .ssh/
id_dsa id_dsa.pub known_hosts
jimbo at athena:~> scp .ssh/id_dsa.pub slacker at apollo:.ssh/jimbos_id.pub
slacker at apollo's password:
id_dsa.pub 100% |*************************************************| 602 00:00
jimbo at athena:~> ssh slacker at apollo
slacker at apollo's password:
Last login: Tue Jul 30 06:25:03 2002 from athena
Have a lot of fun...
slacker at apollo:~> cd .ssh
slacker at apollo:~/.ssh> cat jimbos_id.pub > authorized_keys
slacker at apollo:~/.ssh> exit
logout
Connection to apollo closed.
jimbo at athena:~> ssh slacker at apollo
Last login: Tue Jul 30 06:35:27 2002 from athena.hopnet.lan
Have a lot of fun...
slacker at apollo:~>
My guess what went wrong for Drew is that he either a) didn't have ssh-agent running, or b) didn't export the needed environment from ssh-agent.
(like this)
jimbo at athena:~> ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
SSH_AGENT_PID=31741; export SSH_AGENT_PID;
echo Agent pid 31741;
jimbo at athena:~> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
jimbo at athena:~> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
jimbo at athena:~> echo Agent pid 31741;
Agent pid 31741
So, you have to run ssh-agent as part of your startup AND you have to have stream it's output into your shell.
A handy way to do this is to just redirect the output of ssh-agent to a file, and then "source" the file. I think you can just drop this in your startup script.
jimbo at athena:~> ssh-agent > ssh-env
jimbo at athena:~> . ssh-env
Agent pid 512
jimbo at athena:~> cat ssh-env
SSH_AUTH_SOCK=/tmp/ssh-XX7iJppb/agent.511; export SSH_AUTH_SOCK;
SSH_AGENT_PID=512; export SSH_AGENT_PID;
echo Agent pid 512;
jimbo at athena:~>
Is everybody happy?
--
Lost in Tokyo,
Keith
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list