[ale] automating ssh script

ChangingLINKS.com x3 at ChangingLINKS.com
Mon Jul 29 19:09:46 EDT 2002


I fail to see the problem too. I am comfortable with this key working from
one of my local machines. I am thinking that the chances of someone hacking
my local machine and discovering that it connects to my server, are less than
the chances of someone simply hacking my server.
--
Wishing you Happiness, Joy and Laughter,
Drew Brown
http://www.ChangingLINKS.com

On Monday 29 July 2002 17:56, you wrote:
> Michael Hirsch wrote:
> > On Mon, 2002-07-29 at 07:56, Keith Hopkins wrote:
> >>Hey Drew, (take 2!)
> >>
> >>    This seems like a no-brainer to me.  Just to confirm that, I tried it
> >> myself, and it worked (no passphrase prompt, no password prompt.)
> >>
> >>    First question...when you are generating the keys (type 1 or 2), what
> >> are you entering for the "Enter passphrase" prompts?  You should hit
> >> Enter twice without typing anything.  Anything you type here will be
> >>prompted for at login.
> >
> > This is a bad idea.  What he is trying to do is to enable typing in the
> > passphrase once wen running ssh-agent, then not needing to run it again.
>
> Why is it a bad idea?  Your private key is like a real key, it will open
> the door that it fits.  It is safe (without a passphrase) as long as you
> don't give it away.  Also like a real key, it can be lost or stolen, and
> this is where a passphrase can give you some added protection.  What I
> don't know, and maybe someone can enlighten me....if someone hacks my
> system and steals my private key, and steals all the ssh-agent information,
> will that not also give them the same capability as if they had the
> passphrase?
>
> I'm not understanding what you mean by "not needing to run it again"....it
> seems you always have to have ssh-agent running.
>
> > I think Ed's solution is the correct one.
>
> Ok, here's an example of using ssh-agent to keep your passphrase.... (NOTE:
> ssh-add didn't work right in OpenSSH 2.9.x.  My example is OpenSSH 3.3)
>
> (This time, enter some value for the passphrase prompts)
>
> jimbo at athena:~> ssh -version
> OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> Bad escape character 'rsion'.
> jimbo at athena:~> rm -rf .ssh/
> jimbo at athena:~> ssh-keygen -t dsa
> Generating public/private dsa key pair.
> Enter file in which to save the key (/home/jimbo/.ssh/id_dsa):
> Created directory '/home/jimbo/.ssh'.
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /home/jimbo/.ssh/id_dsa.
> Your public key has been saved in /home/jimbo/.ssh/id_dsa.pub.
> The key fingerprint is:
> dd:66:...................................... jimbo at athena
> jimbo at athena:~> ssh-agent
> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
> echo Agent pid 31741;
> jimbo at athena:~> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export
> SSH_AUTH_SOCK; jimbo at athena:~> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
> jimbo at athena:~> echo Agent pid 31741;
> Agent pid 31741
> jimbo at athena:~> ssh-add
> Enter passphrase for /home/jimbo/.ssh/id_dsa:
> Identity added: /home/jimbo/.ssh/id_dsa (/home/jimbo/.ssh/id_dsa)
> jimbo at athena:~> ssh slacker at apollo
> The authenticity of host 'apollo (10.1.1.20)' can't be established.
> RSA key fingerprint is bb:f7:..............................
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'apollo,10.1.1.20' (RSA) to the list of known
> hosts. slacker at apollo's password:
> Last login: Tue Jul 30 06:16:12 2002 from hera
> Have a lot of fun...
> slacker at apollo:~> exit
> logout
> Connection to apollo closed.
> jimbo at athena:~> ssh slacker at apollo
> slacker at apollo's password:
> Last login: Tue Jul 30 06:22:11 2002 from athena
> Have a lot of fun...
> slacker at apollo:~> exit
> logout
> Connection to apollo closed.
> jimbo at athena:~> scp .ssh/
> id_dsa       id_dsa.pub   known_hosts
> jimbo at athena:~> scp .ssh/id_dsa.pub slacker at apollo:.ssh/jimbos_id.pub
> slacker at apollo's password:
> id_dsa.pub           100%
>
> |*************************************************|   602       00:00
>
> jimbo at athena:~> ssh slacker at apollo
> slacker at apollo's password:
> Last login: Tue Jul 30 06:25:03 2002 from athena
> Have a lot of fun...
> slacker at apollo:~> cd .ssh
> slacker at apollo:~/.ssh> cat jimbos_id.pub > authorized_keys
> slacker at apollo:~/.ssh> exit
> logout
> Connection to apollo closed.
> jimbo at athena:~> ssh slacker at apollo
> Last login: Tue Jul 30 06:35:27 2002 from athena.hopnet.lan
> Have a lot of fun...
> slacker at apollo:~>
>
> My guess what went wrong for Drew is that he either a) didn't have
> ssh-agent running, or b) didn't export the needed environment from
> ssh-agent. (like this)
> jimbo at athena:~> ssh-agent
> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export SSH_AUTH_SOCK;
> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
> echo Agent pid 31741;
> jimbo at athena:~> SSH_AUTH_SOCK=/tmp/ssh-XX1RcNaX/agent.31740; export
> SSH_AUTH_SOCK; jimbo at athena:~> SSH_AGENT_PID=31741; export SSH_AGENT_PID;
> jimbo at athena:~> echo Agent pid 31741;
> Agent pid 31741
>
> So, you have to run ssh-agent as part of your startup AND you have to have
> stream it's output into your shell.
>
> A handy way to do this is to just redirect the output of ssh-agent to a
> file, and then "source" the file.  I think you can just drop this in your
> startup script.
>
> jimbo at athena:~> ssh-agent > ssh-env
> jimbo at athena:~> . ssh-env
> Agent pid 512
>
> jimbo at athena:~> cat ssh-env
> SSH_AUTH_SOCK=/tmp/ssh-XX7iJppb/agent.511; export SSH_AUTH_SOCK;
> SSH_AGENT_PID=512; export SSH_AGENT_PID;
> echo Agent pid 512;
> jimbo at athena:~>
>
>    Is everybody happy?

-------------------------------------------------------

-- 
Wishing you Happiness, Joy and Laughter,
Drew Brown
http://www.ChangingLINKS.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list