Thursday, September 20, 2007

ssh agent

My users asked about how to use ssh-agent so I sent them this:

1. Start the SSH agent

workstation:~$ eval `ssh-agent`
Agent pid 26147
workstation:~$
Note that the above is a back-tick, not a single quote. It should be on the upper-left of a standard PC keyboard. If you try this and get:
Could not open a connection to your authentication agent. 
then your session is not running under the ssh-agent. You can get around this by restarting a new shell under the agent by running:
exec ssh-agent bash
2. Make the agent aware of your key (and type passphrase):
workstation:~$ ssh-add
Enter passphrase for /home/me/.ssh/id_rsa:
Identity added: /home/me/.ssh/id_rsa (/home/me/.ssh/id_rsa)
workstation:~$
3. Confirm it has your key:
workstation:~$ ssh-add -l
2048 9b:fe:23:ed:9a:ff:be:ed:1d:b7:26:28:c9:68:b5:62
/home/me/.ssh/id_rsa (RSA)
workstation:~$
4. SSH to server1 and forward your key:
workstation:~$ ssh -AX server1
Last login: Thu May 31 11:58:34 2007 from workstation.domain.tld
[server1 ~]$
(note: it didn't prompt for a password since the agent cached the key)

5. SSH from server1 to server3

[server1 ~]$ ssh -AX server3
The authenticity of host 'server3 (123.456.789.45)' can't be established.
RSA key fingerprint is 6b:9d:98:60:36:8e:ef:d3:ea:90:0e:a8:cb:25:b2:90.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server3,123.456.789.45' (RSA) to the list of
known hosts.
Last login: Wed May 30 17:42:33 2007 from workstation.domain.tld
[server3 ~]$
6. Create a file on server3
[server3 ~]$ echo "foo" > foo.txt
[server3 ~]$
7. Logout back to server1:
[server3 ~]$ exit
Connection to server3 closed.
[server1 ~]$
8. scp the file you left on server3 back to server1:
[server1 ~]$ scp server3:/home/me/foo.txt .
foo.txt                                     100%    4     0.0KB/s   00:00
[server1 ~]$
9. Logout on server1 and see that the agent still running on your PC:
workstation:~$ ssh-add -l
2048 9b:fe:32:ed:9a:ee:fb:ea:1f:3b:22:83:9c:86:b5:62
/home/me/.ssh/id_rsa (RSA)
workstation:~$
10. Remove the key when your done working:
workstation:~$ ssh-add -d ~/.ssh/id_rsa
Identity removed: /home/me/.ssh/id_rsa (/home/me/.ssh/id_rsa.pub)
workstation:~$
11. Verify it's no longer cached:
workstation:~$ ssh-add -l
The agent has no identities.
workstation:~$
12. Figure out the agent's PID and stop it: You were told the PID in step one but if you don't remember it you can find it:
workstation:~$ ps ax | grep 26147
26147 ?        Ss     0:00 ssh-agent
workstation:~$
and then kill that PID:
workstation:~$ kill 26147
workstation:~$
You can then make sure that the agent has died:
workstation:~$ ps ax | grep 26147
workstation:~$
These last few steps are important. Especially if you're done working and going to be away from your desk.

No comments: