diff options
Diffstat (limited to 'wired/old/published/Webmonkey/ssh_agent.txt')
| -rw-r--r-- | wired/old/published/Webmonkey/ssh_agent.txt | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/wired/old/published/Webmonkey/ssh_agent.txt b/wired/old/published/Webmonkey/ssh_agent.txt new file mode 100644 index 0000000..d2bcac3 --- /dev/null +++ b/wired/old/published/Webmonkey/ssh_agent.txt @@ -0,0 +1,131 @@ +When it comes to remote logins SSH is a wonderful tool, not only is it secure, it supports public/private key logins meaning that even if someone gets your password, without you private key it won't do them any good (and vice versa). + +However, if you've ever wanted to automate a remote login, for instance, to copy some files for [linktobackuptutorial backup purposes], you know that it's not easy to do an SSH login without a password. + +The easy option -- creating a key pair with no password -- is one of the worst ideas you could implement. It effectively destroys one of the primary benefits of using SSH since taking control of the local machine would give an attacker instant and easy access to your remote machine as well -- two for the price of one. + +The far better option is to use ssh-agent, which is far more secure an doesn't require you to abandon the added protection of using a password with your SSH keys. + +Unfortunately ssh-agent can be intimidating for newcomers and using it varies somewhat according to what operating system you use. + +But fear not my fellow monkeys, roll up your sleeves, grab a strong cup of coffee and we'll wade through ssh-agent. Bear in mind that we'll be using OpenSSH 2.0. If you're stuck with a host that uses v1, you'll need to make some adjustments. + +== What is SSH-Agent == + +OpenSSH, which ships with Mac OS X, most Linux distros and can even be had on Windows via the [http://www.cygwin.org/ CygWin toolset], has a number of lesser known helper components like ssh-agent. + +Ssh-agent acts as a broker which can store and manage private keys on your PC and, most importantly, responding to requests from remote systems to verify your keys. Whenever you login to your machine, you enter your password, which gives ssh-agent permission to store your keys. + +For that point on ssh-agent can handle the authentication requests from remote public keys without requiring you to unlock them each time with a password. It's important to understand that, behind the scenes, private keys never leave the agent. In other words they can't be snatched out by attackers. + +So to start the ssh-agent, just run it from the command line like so: + +<pre> +$ ssh-agent +SSH_AUTH_SOCK=/tmp/ssh-GCYVyDA3sj/agent.9551; export SSH_AUTH_SOCK; +SSH_AGENT_PID=9552; export SSH_AGENT_PID; +echo Agent pid 9552; +</pre> + +Okay so we know how to access it, but how do we use it for secure, password-less remote logins? + +== Create Your SSH Key Pair == + +The first step to using ssh-agent is to create an SSH key pair. To do that just run this command: + +<pre> +ssh-keygen -t rsa +</pre> + +When prompted for a password enter something decently long and secure. + +When SSH is done you should see a message like: +<pre> +Your identification has been saved in /home/yourusername/.ssh/id_rsa. +Your public key has been saved in /home/yourusername/.ssh/id_rsa.pub. +</pre> + +Now we need to add the public key (id_rsa.pub) to our web server. You can either do that using FTP and cut and paste the info into ~/.ssh/authorized_keys, or since your still in the shell, try this line, substituting your login info: + +cat ~/.ssh/id_rsa.pub | ssh username@server.com 'cat >> .ssh/authorized_keys' + +That will add the SSH key we just generated to your webserver's list of authorized keys, which means you can now login to your remote server from your home machine using the key pair rather than just a password. + +'''Note:''' If your remote server is running an older version of ssh, you may have to use the ~/.ssh/authorized_keys2 file. + +Try connecting to your remote server and you should see a message like this: + +<pre> +Enter passphrase for RSA key 'you@example.com': +</pre> + +If not, check with your hosting company and see if there's something peculiar about their setup and adjust your setup accordingly. + +== Starting SSH-Agent == + +So I know what you're thinking, I just told you we'd bypass the password login, but we just added a password to our key pair -- what's up with that? + +This is where ssh-agent comes to our aid. + +The first thing you'll want to do is make sure that ssh-agent starts up whenever you login to your PC. As it turns out, this is one of the trickiest parts. + +=== Linux === + +Most Debian Linux variants (like Ubuntu) start ssh-agent automatically at login, but if not don't worry, you just need to add a line to your .xsession file (if you're not a gnome user, just substitute the windows manager of your choice): +<pre> +ssh-agent gnome-session +</pre> + +If Debian isn't your bag, check out the [http://gentoo-wiki.com/HOWTO_ssh-agent_the_easy_way ssh-agent tutorial on the Gentoo wiki]. + +=== Mac OS X === + +On Mac OS X there are two graphical programs which can handle the task for you (as well as some additional key management tasks). Check out [http://www.phil.uu.nl/~xges/ssh/ SSH Agent] or [http://www.sshkeychain.org/ SSHKeychain]. + +=== Windows === + +For Windows users the situation is more complex. The most popular method seems to use [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY]. If you have some experience be sure to add it here. + +=== Custom Scripts === + +Each of these methods should get ssh-agent up and running in graphical environments. In case you need to access ssh-agent without logging into to window system, you can manually set two environment variables: SSH_AUTH_SOCK and SSH_AGENT_PID. + +To do that we'll use a shell script that we'll add to our shell login script. there are several ways you can do this, but script I use comes from Mark A. Hershberger, who has three variations available in his [http://mah.everybody.org/docs/ssh tutorial on ssh-agent]. + +Here's the outline of the script, you may need to adjust the paths depending on your setup. + +<pre> +#!/bin/sh +SSHAGENT=/usr/bin/ssh-agent +SSHAGENTARGS="-s" +if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then + eval `$SSHAGENT $SSHAGENTARGS` + trap "kill $SSH_AGENT_PID" 0 +fi +</pre> + +Just add that script to your ~./profile startup script and you'll have ssh-agent access even without a graphical login. + +== Adding the Keys to SSH-Agent == + +Now we just need to add the keys we created earlier to ssh-agent. Thankfully that's a one liner: + +<pre> +ssh-add ~/.ssh/id_rsa +</pre> + +Type your password for the last time and now you should be able to perform remote logins without a password. + +Test it out: + +<pre> +ssh username@example.com +</pre> + +Assuming that works you're good to go. The only thing to remember is that if you restart your machine you'll need to enter your password once to get the ssh-agent session started. + +'''Tip:''' if you're running some cron scripts that do remote logins (one of the main points of ssh-agent) consider creating a separate key pair for those logins. It adds another layer of security and you can use the additional <code>command</code> argument in your authorized_keys file to limit what those logins can do (see [tutorial on remote backups] for more info on limiting script access. + +== Conclusion == + +So now we've securely overcome the old password problem for remote logins. If you're having trouble or want to learn more about ssh-agent, check out [http://mah.everybody.org/docs/ssh Mark Hershberger's tutorial] and be sure to read Steve Friedl's [http://www.unixwiz.net/techtips/ssh-agent-forwarding.html Illustrated Guide to SSH Agent Forwarding] for more on how SSH and ssh-agent work. |