Most of my readers utilize SSH keys to access remote systems. The security benefits are well known, and key-based authentication makes automating remote tasks a whole lot easier. When you use key-based authentication it becomes imperative to protect your private key, since a third party could access your systems if they were able to gain access to your account. The SSH key generator (ssh-keygen) will attempt to encrypt your private key by default, and can also be used ssh-keygen to add a password to a private key after the fact.
With passwords comes prompts, and with prompts comes frustration. To alleviate this frustration you can use the ssh-agent process to minimize the number of times you need to type your password. Ssh-agent stores your private keys securely in memory, and hands them out to the ssh process when you attempt to connect to remote systems. Keys are added to ssh-agent through the ssh-add command line utility, which will prompt you for your private key password prior to adding them to the keys held in memory by ssh-agent.
Each time you access a remote system the ssh client will contact the ssh-agent process to acquire your private keys. If you start ssh-agent and run ssh-add to add your private keys when you login to a server, you will now be able to access other hosts using key-based authentication without a password for the length of the shell session. You will find this especially useful when you are using tools like clusterit to manage remote machines.
To automate the process above, I like to modify my bash environment to prompt me for the password when I login to my servers. The ssh-add prompt I get looks similar to this:
Last login: Tue Jan 17 20:37:54 2012 from 192.168.1.121 Starting an ssh-agent process Enter passphrase for /home/matty/.ssh/id_dsa: Identity added: /home/matty/.ssh/id_dsa (/home/matty/.ssh/id_dsa)
Once I’ve input the correct password I can then access other systems freely and without a password. So what exactly did I do to integrate ssh-agent into my shell environment? First I added an exec statement to create an ssh-agent process and make the bash process a child of it (the reasons why this is required are documented in the SSH FAQ):
grep ssh-agent .bash_profile
# Start an ssh-agent process and start bash as a child of it echo "Starting an ssh-agent process" exec ssh-agent bash
Once ssh-agent is tied into the environment I call ssh-add from my .bashrc to add my private keys:
grep ssh-add .bashrc
# Add the encrypted private keys to my in-memory key store with ssh-add. echo "Calling ssh-add to add my private key to ssh-agent" ssh-add
The second entry is what causes the following password prompt when I login to my servers:
Enter passphrase for /home/matty/.ssh/id_dsa:
I always try to do everything I can to improve security, and this is definitely one of those every admin should do to protect their beloved private key(s). :) If you are doing something differently, please share your thoughts in the comment section below.