Difference between revisions of "Talk:SSH keys"

From ArchWiki
Jump to: navigation, search
m (ssh-agent: new section)
Line 15: Line 15:
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
 
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
 
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
 +
 +
== ssh-agent ==
 +
 +
The current wiki entries tells to "$ echo 'eval `ssh-agent`' >> ~/.bashrc" which will everytime spawn a new ssh-agent.
 +
I think a more elegant way is only to add the export commands of ssh-agent to the .bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:
 +
#!/bin/sh
 +
# check if ssh-agent is running
 +
if [ -n "`ps -e|grep ssh-agent`" ];then
 +
        echo "ssh-agent is already running" >&2
 +
        exit 1
 +
fi
 +
# get new sock and pid
 +
agent=`ssh-agent |head -2`
 +
# delete old sock, pid and comment
 +
sed -i -e "/SSH_\(AUTH_SOCK\|AGENT_PID\)/d" ~/.bashrc
 +
# insert new sock and pid for new shells
 +
echo -e "# auto generated SSH_AUTH_SOCK and SSH_AGENT_PID" >> ~/.bashrc
 +
echo $agent >> ~/.bashrc
 +
# for evaluation in the current shell
 +
echo $agent
 +
 +
$ eval `./ssh_agent_wrapper.sh` "
 +
this would make ssh-agent available on the current and all new shells.
 +
 +
Be sure you have added the key to your /etc/ssh/ssh_config:
 +
IdentityFile path/to/key

Revision as of 07:17, 14 July 2009

Maybe the default 2048 bit rsa key is better?Vogt 01:54, 31 August 2008 (EDT)

I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in the history. Thelucster 13:51, 13 April 2009 (EDT)

sshd_config

Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine. In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as /etc/ssh/sshd_config. If the last line(s) of this file read(s): 'AllowUsers <username>', you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: '/etc/init.d/sshd restart'.

Using pam_ssh module

I just want to add that one could also use the pam_ss module, available here http://pam-ssh.sourceforge.net/ or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys. This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.

ssh-agent

The current wiki entries tells to "$ echo 'eval `ssh-agent`' >> ~/.bashrc" which will everytime spawn a new ssh-agent. I think a more elegant way is only to add the export commands of ssh-agent to the .bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:

#!/bin/sh
# check if ssh-agent is running
if [ -n "`ps -e|grep ssh-agent`" ];then
        echo "ssh-agent is already running" >&2
        exit 1
fi
# get new sock and pid
agent=`ssh-agent |head -2`
# delete old sock, pid and comment
sed -i -e "/SSH_\(AUTH_SOCK\|AGENT_PID\)/d" ~/.bashrc
# insert new sock and pid for new shells
echo -e "# auto generated SSH_AUTH_SOCK and SSH_AGENT_PID" >> ~/.bashrc
echo $agent >> ~/.bashrc
# for evaluation in the current shell
echo $agent
$ eval `./ssh_agent_wrapper.sh` " 

this would make ssh-agent available on the current and all new shells.

Be sure you have added the key to your /etc/ssh/ssh_config:

IdentityFile path/to/key