SSH-AGENT SETUP, by Alexander Shirokov (0) Introduction Passwordless ssh access: As opposed to usual password authentication method when doing ssh to a remote machine, using passphrase authentication and ssh-agent daemon allows one to enable automatic authentication, so that one does not need to type a password each time one logs into a machine using ssh, while still ensuring a secure connection. Let hosta be your local machine, and you are user usera on that machine. Let hostb be a remote machine, and the userbn that machine wants to give you a permission to login to that machine as userb (it may well be that both users are same usera = userb). (1) First, find out a proper passphrase for your use. You passphrase should be a word, containing any regular characters (alphanumeric, plus the punctuation ad whitespace characters); it should not be dictionary based. Your passphrase is the most vulnerable part of ssh encryption. Using a bad passphrase, such as you year of birth diminishes the sense of security which will later be available to you. (2) Generating private and public keys Log in as a regular user to quantmachine and type: mkdir -p ~/.ssh chmod 700 ~/.ssh cd ~/.ssh ssh-keygen -t rsa Then simply press enter for first question and type your own new passphraze found in (1) for the second question. This will generate the files id_rsa id_rsa.pub which contain authentication keys. File id_rsa is the most sensitive and should not be distributed; file id_rsa.pub is you public key and may be freely be distributed. (3) Testing passphrase authentication method on your local machine. Suppose you are on your local machine, quantmachine. You may test passphrase authentication method without having to use any other machine: while being on quantmachine you may still login to the same machine, just to test if authentication works. First, do the following: cd ~/.ssh cat id_rsa.pub >> authorized_keys2 chmod 644 authorized_keys2 Then login: ssh hosta or, ssh usera@hosta If you can not login without the password: a: make sure that the authorized_keys2 and ~/.ssh permission are set properly: chmod 644 authorized_keys2 chmod 700 ~/.ssh b: check the permissions of your $HOME directory are proper. 771 is not a good permission for your home directory, 755,701, or 700 are fine. (4) Logging in using a passphrase To enable a one way login from the local machine to a remote machine, one should add the ~/.ssh/id_rsa.pub content of the local machine, into the file .ssh/authorized_keys2 of the remote machine. It can well be done by using a mouse and opening a remote emacs terminal and editing the file there. E.g one can do: Local machine: cd ~/.ssh emacs id_rsa.pub & Remote machine: cd ~/.ssh emacs authorized_keys2 & chmod 644 authorized_keys2 chmod 700 ~/.ssh Format for authorized_keys2: one line per hostname! Now, try this on your local machine: ssh RemoteHostName This should ask passphrase, instead of a password! (3) Automatic authentication One can enable automatic authentication, so that you do not have to type in the passphrase each time you login into the remote machine. (a) For current shell session. To enable automatic authentication for your current shell session (e.g. current opened xterm), do this: Starting authentication daemon ssh-agent: ssh-agent $SHELL This will start the authentication agent (and set variables SSH_AGENT_PID and SSH_AUTH_SOCK). Then, add available authentication: ssh-add This will ask you for the rsa passphrase, once this is done, you should be able to login into the remote machine from the same shell session , without typing in the password. (The RSA passphrase automatic authentication is added to the ssh-agent whose process id is specified by SSH_AGENT_PID) To stop agent type ssh-agent -k To check for existing authentication type ssh-add -l If the output is something like 1024 27:84:2c:36:f7:a3:a1:2f:89:a5:6f:74:66:7c:7d:37 /home/shirokov/.ssh/id_rsa (RSA) then you have the specified authentication. (b) Once and for all To enable automatic authentication for all of your shell sessions do this: Make the changes on your LocalHostName machine, described in the comments to the script below. All of the below, is the script to be copied into your $HOME/.ssh/ssh-login file on LocalHostName Once you logout and login you will be asked for a passphrase once and then you will be able to login to RemoteHostName without ever typing the passphrase. #!/bin/sh # # File: ~/.ssh/ssh-login # # Checks authentication environment. # If the ssh-agent is not running, starts a new one. # # Setup instructions: # # 1) For bash and ksh users: # # Include the following in your ~/.bashrc or ~/.kshrc: # # . $HOME/.ssh/ssh-login # # Note, The common error is to instead include this command to ~/.bash_profile file. # The authentication method of any subsequent non-login shell sessions # started will not be supplied by the running ssh-agent which # only calls ~/.bashrc for their shell session setup. The startup # of the login shell session includes a call to ~/.bashrc anyway. # # # # 2) For csh and tcsh users: # # Include the following in your ~/.cshrc or ~/.tcshrc # # source $HOME/.ssh/ssh-login # # SSH_ENV=$HOME/.ssh/env-$HOSTNAME function ssh_clean { d="$HOME/.ssh" f0=$d/known_hosts f1=$d/known_hosts_tmp cat /dev/null > $f1 while read host line; do if [ $host != "localhost" ]; then echo $host $line >> $f1 fi done < $f0 mv $f1 $f0 chmod 644 $f0 } # Initialize new agent and add authentication function start_agent { echo "Initialising new SSH agent on $HOSTNAME on $(date)" >> ~/agent # Start authenticating daemon # No authentications set up yet, just starting daemon! ssh-agent | head -2 > ${SSH_ENV} chmod 600 ${SSH_ENV} # Find SSH_AUTH_SOCK and SSH_AGENT_PID of the available daemon . ${SSH_ENV} > /dev/null # Add authentication to this and only this daemon ssh-add } if [ -f "$SSH_ENV" ]; then # Find SSH_AUTH_SOCK and SSH_AGENT_PID of the available daemon . ${SSH_ENV} > /dev/null # Check if the agent is still running ierr=0 ps ${SSH_AGENT_PID} > /dev/null || ierr=1 if [ $ierr == "0" ]; then echo > /dev/null else # If not initialize new agent and # add authentication start_agent; fi else start_agent; fi # Clean localhost entry in the known host file ssh_clean (4) Forwarding ssh-agent authentication Make a change in your /etc/ssh/ssh_config < # ForwardAgent no --- > ForwardAgent yes The default value is no. Saying "yes" means that the authentication is forwarded from your LocalHostName to RemoteHostName so that the same passwordless authentication generated for LocalHostName can be used when subsequently logging in from RemoteHostName to another host whose ~/.ssh/authorized_keys2 contain the public key of locahost. (5) Assuring stable connection Often the default network firewall settings shuts down idle connections. To solve this problem: Way 1: (must have root password) Make a change in /etc/ssh/ssh_config on the target machine (which is running the sshd daemon that services the ssh connection), adding the lines: ClientAliveInterval 300 ClientAliveCountMax 3 and executing command: /sbin/service sshd reload on remote machine via putting it into a script /root/script.sh and executing: chmod +x /root/script.sh at now + 1 minutes -f /root/script.sh After the batch job is completed in one minute, hopefully - there will be no more disconnections. Way 2: (no root password) Create a new per-user file ~/.ssh/config on the local machine and add the following two lines: ServerAliveInterval 300 ServerAliveCountMax 3 (this way for example, the lonestar connection from procion to lonestar2 was fixed. Before doing this, the connection was shut off in 2-3 minutes away from the terminal)