Sun 9 Dec 2007
The Problem: There are a bunch of servers I need to login almost daily using ssh, all with different login names and passwords. I also want to secure copy data between them and access one server from another.
The Wish: One password for a group of servers to type in only once when I login into the local X-session.
A Solution: Set up passphrase protected private and public keys. Make ssh-agent run your window manager und type the keys passphrases into a pass-phrase dialog triggered by ssh-add on window managers startup. Use the ssh-agents forwarding features to forward local ssh-identities between remote hosts. Of course you
also need to configure your public key on the remote hosts.
So it goes:
- Install x11-ssh-askpass (ubuntu package ssh-askpass).
- Create key pairs and protect them by a (hopefully) strong passphrase:
~/.ssh$ mkdir mykeys ~/.ssh$ cd mykeys ~/.ssh/mykeys$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/me/.ssh/id_dsa): /home/me/.ssh/mykeys/gebewau_dsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/me/.ssh/mykeys/gebewau_dsa. Your public key has been saved in /home/me/.ssh/mykeys/gebewau_dsa.pub. The key fingerprint is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~/.ssh/mykeys$ chmod 600 *
To use the keys it is necessary to set strict permission on the files, otherwise ssh won’t accept them. - Edit your .xinitrc (on ubuntu ssh-agent is running by default, see post SSH on Ubuntu , SHH-Agent Is Running per Default), add this line:
#!/bin/bash exec ssh-agent sh -c '{ for f in /home/kostja/.ssh/mykeys/*_dsa ; do ssh-add $f </dev/null ; done ; } && exec startkde'This will start ssh-agent once to use in all sessions. ssh-agent will start a shell (bash in my case) which in turn executes the command enclosed within ‘ ‘. Foreach private key in mykeys directory there will appear a passphrase dialog triggered by
ssh-add. The passphrase dialog is provided by x11-ssh-askpass. For this ssh-add reads the SSH_ASKPASS environment variable (in ubuntu it seems not to be neseccary) which you can set in your ~/.bashrc file :# Set the location of the x11-ssh-askpass binary export SSH_ASKPASS=/usr/local/libexec/x11-ssh-askpass
On success – startkde will be executed. To see how to run the session independently from the success of the passphrase dialog read the description in Simplifying SSH access using an agent - Configure your ssh client to use agent forwarding by creating and editing the configuration file .ssh/config. An example:
# selfmade OpenSSH ssh client configuration file will # override the system config file in /etc/ssh/ssh_config # # Config options are unioned over all matching host # entries, first config option wins Host xxx.gebewau.de # with this user setting you only have to type # ssh xxx.gebewau.de to connect User me Host *.gebewau.de # don't need this if identity is added by ssh-add # IdentityFile ~/.ssh/mykeys/gebewau_dsa # next two settings have security issues, see man:ssh_config ForwardAgent yes ForwardX11 yes Host * CheckHostIP yes Compression yes StrictHostKeyChecking ask SetupTimeOut 300 ServerAliveInterval 300 - Install your identity.pub in a remote machine’s authorized_keys. You can use scp to copy your public key file to the remote server followed by:
cat gebewau_dsa.pub >> .ssh/authorized_keys
Or you use
ssh-copy-id -i ~/.ssh/mykeys/gebewau_dsa.pub user@xxx.gebewau.de
this will also set the right permissions in the servers ~/.ssh directory.
To use AgentForwarding you have to use ssh -A or enable forwarding in .ssh/config for the local client and for the client on the bridge server. The bridge servers client will try to use your username you used to log into it. So the set appropriate user names in .ssh/config or use : ssh forwardeduser@over-the-bridge.gebewau.de .
Note about adding several matching identities with ssh-add:
If you have several identities which can access the same host then ssh will only use the first matching one added by ssh-add. Even using command line option -i won’t override it.
So if you have two SSH identities valid on an SSH server, you better don’t load either identity into an agent. Otherwise, one of those identities will be unable to access that server. You may also try to set the config option IdentitiesOnly in your clients config file.
Security remark regarding forwarding found in man:ssh_config:
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
Links:
- OpenSSH key management, Part 3 – 3. Part of a good article, with a clear illustration of agent forwarding.
- Remote Access – well structured SSH overview
- Top Ten Secure Shell FAQs
- SSH Book
- ssh-agent/ssh-add question – useful post about configuring ssh-add/ssh-agent on X startup
November 19th, 2008 at 6:28 pm
Nice blog I really like your writing style,it is really interesting to read your articles.
November 20th, 2008 at 3:03 am
[...] is an addition to my post Convenient SSH on Linux cause I was suprised finding that KDE is run from ssh-agent per [...]
February 5th, 2009 at 4:38 pm
If you just have one key and your passphrase for the key and your login-password are identical, then you can simplify a little more by following these steps:
1) install the package “libpam-ssh”
2) In the files /etc/pam.d/login ( for terminal ) and /etc/pam.d/kdm ( for graphical interface ) you have to add “@include pam-ssh-auth” before the “@include common-auth” line and add “@include pam-ssh-session” after the “@include common-session”.
After this, you just have to login and the same password is taken for your ssh-passphrase…