[Tipz] ssh-agent for the impatient

Ian Langworth bass at ccs.neu.edu
Thu Oct 30 20:25:07 EST 2003 

(I'm pretty sure the details are correct -- feel free to correct me.)

GOAL: 

    When you log into a CCS machine you want a little dialog to
    come up and ask you for a passphrase. With the correct
    passphrase you would then be able to shell into any other
    machine without using a password. The magic ends when you
    log out of the console.

SOLUTION:

    First, if you haven't already, generate your public and
    private ssh keys. Do this by running:

        ssh-keygen -t dsa

    ...and accept the defaults. You should have a "id_dsa" and
    "id_dsa.pub" in your ~/.ssh directory. Copy the id_dsa.pub
    to any machines you want to shell to as
    "~/.ssh/authorized_keys2", such as:

        cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys2

        scp ~/.ssh/id_dsa.pub somehost:.ssh/authorized_keys2

    (Remember -- id_dsa is your _private_ key -- guard it with
    your life. You can put your public key, id_dsa.pub,
    anywhere.)

    Next, move your .xsession a separate file, like
    ~/bin/xsession-real for example. Then set your .xsession 
    to run the real script through ssh-agent, like this:

        #!/bin/sh
        exec ssh-agent $HOME/bin/xsession-real

    (Make sure your new .xsession is executable.)

    In your real xsession script, put the following:

        # start my ssh agent
        os=`uname -s`
        if [ "x$os" = "xSunOS" ]; then
            # thanks, zach!
            SSH_ASKPASS=/home/bass/bin/ssh-askpass.SunOS
        else
            SSH_ASKPASS=ssh-askpass
        fi
        export SSH_ASKPASS
        SSH_AGENT=ssh-agent
        export SSH_AGENT
        ssh-add $HOME/.ssh/id_dsa </dev/null

    (The ssh-askpass.SunOS was compiled by Zach Joress and works
    nicely with Solaris. I suggest you copy it to your own home
    directory and modify that line appropriately.)

    That's it -- log out of the console and log back in again.

BONUS!

    If you want to be able to scp/ssh passwordless from
    a machine you're not on to another machine you're not on you
    can use "agent forwarding." This will work if the machines
    you're jumping around to all have the same public key in
    authorized_keys2 (I think). Run this:

        echo "ForwardAgent yes" >>~/.ssh/config

    Try this out, it's really cool.

Enjoy!

-- 
Ian Langworth
Project Guerrilla
Northeastern University
College of Computer and Information Science

More information about the Tipz mailing list