Ssh tips and tricks, part 5
It has been a while, but it is time for the next guide. In this guide I will dig a bit deeper into the ssh-agent. In the previous guide I noticed the passwordless logins that can be accomplished with ssh keys. I suppose you have still got the dsa key that you generated via that guide (or another one) around.
Remember that you will need to have it passphrase proteced. If you haven’t done that, please do so via:
bq. ssh-keygen -p -f ~/.ssh/id_dsa
Also copy the public key to the server you want to login to
bq. ssh b10m.example.net cat < ~/.ssh/id_dsa.pub “>>” ~/.ssh/authorized_keys
In theory everything should now be set up right to use key authentication, but there might be some caveats..
One thing that might be wrong on is the permissions of the keys. The ~/.ssh should be mode 700, the id_dsa* key files should be no more than 600, as should the ~/.ssh/authorized_keys file on the other side. Another thing that might be faulty could be the location of the files. Check the logging of the server or try the -v option to ssh to figure out what goes wrong.
I assume that the loggin in to the other server now works by typing your passphrase. Eg:
bq. joffie@example:~$ ssh b10m.example.net
Enter passphrase for key ‘/home/joffie/.ssh/id_dsa’:
After typing the passphrase you are logged into the other server. So the key login works. Ofcourse it is does not seem to help (though securitywise this key exchanging is saver than using passwords) for usability. This is where the ssh-agent kicks in. In my ~/.xprofile file I have put the following code:
bq. if [ "$SSH_AGENT_PID" == "" ]
then
eval $(ssh-agent)
export SSH_ASKPASS=/usr/bin/ssh-askpass-fullscreen
ssh-add ~/.ssh/id_dsa </dev/null<br />
trap “kill $SSH_AGENT_PID” 0<br />
fi</p>
<p>This starts up the ssh-agent together with my X session and asks me for the passphrase. All of the xterms I open within that X session know about the ssh-agent. Just try to echo $SSH_AGENT_PID, so you see the pid of the agent. Further communication with the agent goes with the ssh-add command.</p>
<p>bq. joffie@example:~$ ssh-add -l<br />
1024 2e:31:ef:8d:b8:dc:fb:7c:4f:47:36:fc:87:70:bf:c4 /home/joffie/.ssh/id_dsa (DSA)</p>
<p>You can also lock (and unlock) your agent via ssh-add. This can be useful to temporaly disable the agent. You can also specify a timelife of a key via the -t life option, where life is specified in seconds or in a time format specified in sshd_config(5). For example to add a key for 1 day, 5 hours, 31 minutes and two seconds use ssh-add -t 1d5h31m1s ~/.ssh/id_dsa. Deleting ssh-keys from the agent can be done with the -d option of ssh-add.</p>
<p>Do note that the ssh-agent will try each key that it nows about until it logs into the server. This can result in the situation that you are left with the message: Too many authentication failures for joffie. You can simply bypass that problem by specifiying in the ~/.ssh/config file which key you want to use for which server.</p>
<p>bq. Host b10m<br />
Hostname b10m.example.net<br />
IdentityFile ~/.ssh/id_b10m_dsa</p>
<p>As you can see, you can use different keys for different servers. Instead of the previous .xprofile part you can add the keys all in one go.</p>
<p>bq. ssh-add ~/.ssh/id_*_dsa </dev/null</p>
<p>**Update:** I changed authorized_keys2 to authorized_keys. The former has been depricated.</p>