ssh

Archived Posts from this Category

Thu 20 Nov 2008

SSH on Ubuntu , SHH-Agent Is Running per Default

Posted by admin under KDE , ssh , ubuntu
Comments Off 

This is an addition to my post Convenient SSH on Linux cause I was suprised finding that KDE is run from ssh-agent per default. 

# ps aux | grep ssh-agent
userx    6784  0.0  0.0   4480   816 ?        Ss   19:02   0:00 /usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/userx/.gnupg/gpg-agent-info-myhome /usr/bin/startkde

So, first, how can you disable this?

In /etc/X11/Xsession.options :

# cat /etc/X11/Xsession.options
# See Xsession.options(5) for an explanation of the available options.
allow-failsafe
allow-user-resources
allow-user-xsession
use-ssh-agent
use-session-dbus

you can disable use-ssh-agent. This option will be used by
/etc/X11/Xsession.d/90x11-common_ssh-agent
see there for details.

If you want to use the running ssh-agent you can add your keys on startup by putting this script to .kde/Autostart

#!/bin/sh
# set SSH_ASKPASS if not set elsewhere
# export SSH_ASKPASS=/usr/bin/ssh-askpass
for f in /home/userx/.ssh/mykeys/*_dsa ; do ssh-add $f </dev/null ; done ;

Also check the related ubuntu bugs

 

Mon 10 Dec 2007

Convenient SSH with KDE

Posted by admin under KDE , linux , shell , ssh , ubuntu
Comments Off 

I already wrote how to configure the ssh-client for single-sign-on in Convenient SSH on Linux. Today I would like to jump up to the KDE-Layer and see what there can be done to organize networking more effectively. Formerly I used kssh to organize my ssh-accounts (see Installing kssh on ubuntu). Nowadays I prefer a combination of KDE’s Network Folders and Terminal Sessions.

KDE Network Folders can help you to organize your remote access links. It is based on KDE’s support of webdav, ftp, sftp, smb and fish. Fish is quite interesting, it presents files over ssh just as they would be local. There is a special directory where your network folders are stored – type "remote:/" into Konqueror’s address bar. (Other possibility is of course to use simple bookmarks to organize remote connections accessed via “sftp://user@host/” or similiar.) It is just a collection of links which are stored in .kde/share/apps/remoteview by KDE.
The real value of Network Folders lies in the combination with Network Folder Wizard which gives you a configuration interface and quick access list in KDE’s panel.
Read the documentation of knetattach in Konqueror "help:/knetattach/introduction.html" which is the application behind Network Folders administration, also known as Network Folder Wizard also available as an applet by "RightClick Panel" ->  "Add Applet to Panel" -> "Network Folders".

Teminal Sessions is an other applet you can add to your panel. It will list the different konsole sessions. I use sessions to configure ssh shell access and to execute common shell commands like watching remote logs etc. . To add a session open a konsole window, in the menubar click "Settings" -> "Configure Konsole" -> "Session"-tab . In the “General” group type a name for your session, the command to execute (example: ssh xxx.gebewau.de) and your working directory, click save session. You can associate different color schema and icons with different sessions to have better orientation between konsole windows for different purposes. There seems to be no grouping feature for session links.

 

Sun 9 Dec 2007

Convenient SSH on Linux (kubuntu)

Posted by admin under linux , software , ssh , ubuntu
[3] Comments 

The Problem: There are a bunch of servers I need to login almost daily using ssh, all with different login names and passwords. I also want to secure copy data between them and access one server from another.

The Wish: One password for a group of servers to type in only once when I login into the local X-session.

A Solution: Set up passphrase protected private and public keys. Make ssh-agent run your window manager und type the keys passphrases into a pass-phrase dialog triggered by ssh-add on window managers startup. Use the ssh-agents forwarding features to forward local ssh-identities between remote hosts. Of course you
also need to configure your public key on the remote hosts.

So it goes:

  1. Install x11-ssh-askpass (ubuntu package ssh-askpass).
  2. Create key pairs and protect them by a (hopefully) strong passphrase:
    ~/.ssh$ mkdir mykeys
~/.ssh$ cd mykeys
~/.ssh/mykeys$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/me/.ssh/id_dsa): /home/me/.ssh/mykeys/gebewau_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/me/.ssh/mykeys/gebewau_dsa.
Your public key has been saved in /home/me/.ssh/mykeys/gebewau_dsa.pub.
The key fingerprint is:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/.ssh/mykeys$ chmod 600 *

    To use the keys it is necessary to set strict permission on the files, otherwise ssh won’t accept them.
  3. Edit your .xinitrc (on ubuntu ssh-agent is running by default, see post SSH on Ubuntu , SHH-Agent Is Running per Default), add this line:
    #!/bin/bash
exec ssh-agent sh -c '{ for f in /home/kostja/.ssh/mykeys/*_dsa ; do ssh-add $f  </dev/null ; done ; } &&  exec startkde'

    This will start ssh-agent once to use in all sessions. ssh-agent will start a shell (bash in my case) which in turn executes the command enclosed within ‘ ‘. Foreach private key in mykeys directory there will appear a passphrase dialog triggered by ssh-add . The passphrase dialog is provided by x11-ssh-askpass. For this ssh-add reads the SSH_ASKPASS environment variable (in ubuntu it seems not to be neseccary) which you can set in your ~/.bashrc file :

    # Set the location of the x11-ssh-askpass binary
export SSH_ASKPASS=/usr/local/libexec/x11-ssh-askpass

    On success – startkde will be executed. To see how to run the session independently from the success of the passphrase dialog read the description in Simplifying SSH access using an agent
  4. Configure your ssh client to use agent forwarding by creating and editing the configuration file .ssh/config. An example:
    # selfmade OpenSSH ssh client configuration file will
# override the system config file in /etc/ssh/ssh_config
#
# Config options are unioned over all matching host
# entries, first config option wins

Host xxx.gebewau.de
# with this user setting you only have to type
# ssh xxx.gebewau.de to connect
User me

Host *.gebewau.de
# don't need this if identity is added by ssh-add
#  IdentityFile ~/.ssh/mykeys/gebewau_dsa
# next two settings have security issues, see man:ssh_config
ForwardAgent yes
ForwardX11 yes

Host *
CheckHostIP yes
Compression yes
StrictHostKeyChecking ask
SetupTimeOut 300
ServerAliveInterval 300
  5. Install your identity.pub in a remote machine’s authorized_keys. You can use scp to copy your public key file to the remote server followed by:
    cat gebewau_dsa.pub >> .ssh/authorized_keys
    Or you use
    ssh-copy-id -i ~/.ssh/mykeys/gebewau_dsa.pub user@xxx.gebewau.de
    this will also set the right permissions in the servers ~/.ssh directory.

To use AgentForwarding you have to use ssh -A or enable forwarding in .ssh/config for the local client and for the client on the bridge server. The bridge servers client will try to use your username you used to log into it. So the set appropriate user names in .ssh/config or use : ssh forwardeduser@over-the-bridge.gebewau.de .

Note about adding several matching identities with ssh-add:
If you have several identities which can access the same host then ssh will only use the first matching one added by ssh-add. Even using command line option -i won’t override it.
So if you have two SSH identities valid on an SSH server, you better don’t load either identity into an agent. Otherwise, one of those identities will be unable to access that server. You may also try to set the config option IdentitiesOnly in your clients config file.

Security remark regarding forwarding found in man:ssh_config:
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

Links: