Previous Section  < Day Day Up >  Next Section

Recipe 17.6. Passwordless Logins with ssh-agent

17.6.1 Problem

Typing passwords is a pain, and typing passphrases is even worse. You want to set up OpenSSH to open connections without having to enter a passphrase, and you want it to still be secure.

17.6.2 Solution

First, set up your private/public keys as in Recipe 17.3. Then use ssh-agent. ssh-agent handles authentication requests while you are gallivanting about the world, SSH-ing into various systems. You'll enter your passphrase once, at the beginning of your SSH session; when you log out of the session, you'll have to start over.

ssh-agent won't enable you to schedule SSH transfers from cron—see Recipe Recipe 17.8 to learn how to do this.

First, start up ssh-agent. You must name the shell you want to use:

$ shh-agent bash

You'll be returned to a normal-looking prompt. Now run ssh-add. This will load all of the keys in your ~/.ssh directory:

$ ssh-add

Enter passphrase for /home/jenn/.ssh/id_rsa:

Identity added: /home/jenn/.ssh/id_rsa (/home/jenn/.ssh/id_rsa)

Enter passphrase for /home/jenn/.ssh/apache_key:

Identity added: /home/jenn/.ssh/id_dsa (/home/jenn/.ssh/apache_key)

Now you can log into any of your SSH hosts without entering a passphrase:

jenn@windbag:$ ssh powerpc

Linux powerpc 2.4.21 #1 Sun Aug 3 20:15:59 PDT 2003 i686 GNU/Linux

Libranet GNU/Linux

   

Last login: Wed Feb  7 18:28:20 2004 from windbag.test.net

jenn@powerpc:~$

To shut down ssh-agent, just exit out of the ssh-agent shell:

$ exit

17.6.3 Discussion

Because the passphrases and keys are tied to a particular Bash shell process, they'll disappear when you log out of the ssh-agent shell. If you open a second shell to start another ssh-agent, you'll have to enter your passphrase again, even if the first one is still active.

You can see what keys are being used by ssh-agent:

$ ssh-add -l

1024 65:91:77:71:24:66:46:ea:cb:00:fe:83:ad:b8:4a:34 /home/jenn/.ssh/id_rsa (RSA)

1024 da:f7:27:6a:37:4e:a5:bb:1d:00:c7:a8:e9:fe:23:d8 /home/jenn/.ssh/apache_key (RSA)

You'll need to be back in the local ssh-agent shell for this to work, and not logged into a remote host. When you are logged in to a remote host, the remote host controls your terminal, and you'll get the "Could not open a connection to your authentication agent" error message.

You can specify a particular key to load:

$ ssh-add  /home/jenn/adminkeys/id_rsa_http

or you can delete a key from the active ssh-agent session (this does not delete the key from your system):

$ ssh-add -d /home/jenn/.ssh/id_dsa

Identity removed: /home/jenn/.ssh/id_dsa (/home/jenn/.ssh/id_dsa.pub)

To delete all keys, use:

$ ssh-add -D

All identities removed.

17.6.4 See Also

  • ssh(1), ssh-add(1), ssh-agent(1)

  • SSH, The Secure Shell: The Definitive Guide

    Previous Section  < Day Day Up >  Next Section