[Tipz] ssh-agent for the impatient
Ian Langworth
bass at ccs.neu.edu
Thu Oct 30 20:25:07 EST 2003
(I'm pretty sure the details are correct -- feel free to correct me.)
GOAL:
When you log into a CCS machine you want a little dialog to
come up and ask you for a passphrase. With the correct
passphrase you would then be able to shell into any other
machine without using a password. The magic ends when you
log out of the console.
SOLUTION:
First, if you haven't already, generate your public and
private ssh keys. Do this by running:
ssh-keygen -t dsa
...and accept the defaults. You should have a "id_dsa" and
"id_dsa.pub" in your ~/.ssh directory. Copy the id_dsa.pub
to any machines you want to shell to as
"~/.ssh/authorized_keys2", such as:
cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys2
scp ~/.ssh/id_dsa.pub somehost:.ssh/authorized_keys2
(Remember -- id_dsa is your _private_ key -- guard it with
your life. You can put your public key, id_dsa.pub,
anywhere.)
Next, move your .xsession a separate file, like
~/bin/xsession-real for example. Then set your .xsession
to run the real script through ssh-agent, like this:
#!/bin/sh
exec ssh-agent $HOME/bin/xsession-real
(Make sure your new .xsession is executable.)
In your real xsession script, put the following:
# start my ssh agent
os=`uname -s`
if [ "x$os" = "xSunOS" ]; then
# thanks, zach!
SSH_ASKPASS=/home/bass/bin/ssh-askpass.SunOS
else
SSH_ASKPASS=ssh-askpass
fi
export SSH_ASKPASS
SSH_AGENT=ssh-agent
export SSH_AGENT
ssh-add $HOME/.ssh/id_dsa </dev/null
(The ssh-askpass.SunOS was compiled by Zach Joress and works
nicely with Solaris. I suggest you copy it to your own home
directory and modify that line appropriately.)
That's it -- log out of the console and log back in again.
BONUS!
If you want to be able to scp/ssh passwordless from
a machine you're not on to another machine you're not on you
can use "agent forwarding." This will work if the machines
you're jumping around to all have the same public key in
authorized_keys2 (I think). Run this:
echo "ForwardAgent yes" >>~/.ssh/config
Try this out, it's really cool.
Enjoy!
--
Ian Langworth
Project Guerrilla
Northeastern University
College of Computer and Information Science
More information about the Tipz
mailing list