ssh-agent-tip

From: Andrew Tridgell
Subject: tip of the day (ssh-agent)
Date: Wed, 1 Sep 1999 23:39:52 +1000

This tip is for those of you who use ssh but are too lazy to type that
blasted pass phrase every time you want to connect to a host. Most
people respond to this by setting a null pass phrase, but that really
isn't a good idea. Doing that means that your secret key is stored in
plain unencrypted format in your ~/.ssh/ directory which is bad news
for security and just plain silly if your home directory is mounted by
NFS.

So how do you use a pass phrase and avoid typing it every time? You
use ssh-agent. ssh-agent sits in the background and holds keys that
you decode (just once!) with ssh-add.

If you use a X display manager (a graphical login) then you can just
add the following to your .xsession file (on some systems you may be
using a .Xclients or .xinitrc).

eval `ssh-agent`

add that line just before the line that starts your window
manager. Then after the window manager line add this:

ssh-agent -k

that will kill off ssh-agent after you exit.

My full .xsession file looks like this:

#!/bin/sh
eval `ssh-agent`
/etc/X11/xdm/Xsession kde
ssh-agent -k

after you login you then run the command ssh-add to decode your
private key and store the results in ssh-agent. Just run it once per
login and all your ssh commands will proceed without any pass phrase
prompting.

If you don't use a graphical login then you might prefer to run startx
within a ssh-agent environment like this:

ssh-agent startx

that will have much the same effect, and doesn't need the "ssh-agent -k"
at the end to tidy up.

Another tip, if you were lazy in the past and didn't set a pass phrase
for your ssh key then set one now using "ssh-keygen -p". Having your
private ssh key in plain text on disk really isn't a good idea!

Cheers, Tridge

From: "Ben H. Hartshorne" ben@sandwich.net
To: tridge@linuxcare.com
cc: spam-l@linuxcare.com
Subject: Re: tip of the day (ssh-agent)
In-Reply-To: 19990901133955Z12863338-447+2616@samba.anu.edu.au

Hi,

I just have a few things to add to Tridge's message.

When I was first setting up ssh-agent so very long ago, I was stumped for
quite a while, because my X setup used .Xclients instead of .xsession for
the startup file. I don't remember all the details, but I think it was
something crazy like xdm uses .xsession and startx usese .Xclients.

Anyhow, just to be safe, I symlinked .xsession to .Xclients.

But I soon ran across two other problems. I wanted to run a whole bunch
of programs on startup of X, and I didn't like having to re-add my key for
every xterm. My sysadmin showed me another solution. It turns out that
ssh-add knows how to put up a graphical window if it is run in the right
manner.

Here's my .Xclients file

#!/bin/csh
source ~/.bashrc
exec /usr/local/bin/ssh-agent ~/.Xclients_local

and then my .Xclients_local (edited a bit b/c you get the point, and it's
rather long)

#! /bin/csh
# .Xclients_local -- Put programs to run on X startup in here
#####################################
#
# Add startup programs here
#
xsetroot -solid black

ssh-add</dev/null
#ssh-add

xclock -geometry 60x60+5+45 &
xload -geometry 60x50+5+115 &
xbiff -geometry 60x60+5+175 -update 5&

#display if I have now mail on hal
ssh hal.rescomp.berkeley.edu xbiff -geometry 60x60+5+235 -update 5&

# This creates a window to grab your console messages.
# Exiting this window does _not_ log you out however
xterm -ls -C -T console -geometry 114x43+80+5 &
#xterm -T hal -geometry 115x43+78+600 -e ssh hal.rescomp.berkeley.edu&

# Note that this is the last line, and it doesn't have a trailing &
fvwm

#clean up ssh stuff
ssh-add -D&

ssh-add would work on some machines just as is, and on others needed the
</dev/null. I never quite figured out which was which, so just try it
both ways. It has something to do with whether you launched it from xdm
or startx, and whether it thinks it's in console mode or X mode.

The other really nice thing about setting it up this way is that your
_entire_ X session has your key, not just your terminals. That means you
can put, in your mouse menus, lines to start up connections to your
favorite servers and so on.

I also really like being able to use scp to all sorts of different
machines just as though they were all local. No passwords needed no
matter which machine I'm copying to!

One last thing. If you have more than one ssh key, you can add them all
at startup. follow the ssh-add command with the path to your other keys.

For example

ssh-add ~/.ssh/berkeley_key
ssh-add ~/.ssh/linuxcare key
...

If you have problems setting it up, just remeber: ssh is a good thing!
Once you have it set up, you will love it.