Passphrase for ssh-keys
<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>
Passphrase for ssh-keys
When our public key, private key etc. can be used to access some sensitive information that it makes sense to protect our keys with some passphrase. If you already have keys without passphrase then you can set passphrase for them using
ssh-keygen -p
The same command can be used to change passphrase for existing keys.
Using agent for authentication
Now when one uses key based authentication he/she is asked for passphrase for key based authentication to work. If we are going to use key based authentication a lot then this asking of passphrase so many times can be irritating. To solve that problem replace current shell with ssh-agent using:
exec $(which ssh-agent) $SHELL
then use
ssh-add
command and enter passphrase only once. Now shell would remember the passphrase and you can ssh to various servers with keys protected by passphrase without requiring to enter passphrase for each login. ssh-agent started in this manner automatically closes whenever shell exits, so we do not have to worry about security problems because of added keys once we have exited shell.
To execute ssh-agent automatically on remote machines during SSH use:
eval `ssh-agent -s`
in ~/.bashrc. This was learned from http://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent
Using Agent Forwarding for convenient ssh from remote machines
Consider situation where Client C1 has key based access to servers S1 and S2. Now if client tries to connect to S1 using SSH the agent can authorized the client and connection would get established without needing any password. But now if client tries to SSH to S2 from S1 then client would be forced to enter password as the clients key located on C1 is not automatically used by S1. To use C1's key while C1 is connected to S1, one can use 'ForwardAgent' option such as:
ssh -X root@<S1> -o 'ForwardAgent=yes'
This assumes two things:
- authorized_keys file on S1 does not restricts agent-forwarding. See Configuring authorized_keys file for public key based access
- connection to S1 is established using agent after using 'exec $(which ssh-agent) $SHELL' and 'ssh-add' and not directly.
Now if client tries to SSH to S2 then the keys located on clients machine can be used for authentication with the help of a local agent. More information on this can be read from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
Obtaining fingerprint of existing keys
To obtain fingerprint of existing keys use:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>