Step 4.5: How to use OpenSSH Passphrase Agents

Problem: Using public key authentication makes logging in to a server with SSH more secure, but less convenient due to having to type in a longer and more complex passphrase.

Action 4.5.1: Use ssh-agent and ssh-add to store your private keys in memory

To make public key authentication more convenient to use, the OpenSSH developers created the ssh-agent and ssh-add programs. These programs are designed to keep your private keys decrypted in memory for your current session. With ssh-agent, you will not need to type a passphrase when connecting to a remote system, since the private key resides in memory.

While this makes using public key authentication more convenient, it should be noted that it does pose a small security risk as your private key is sitting in memory decrypted. If a rogue program were able to read that portion of memory, it would be able to use the private key and log in to the remote server using your credentials.

ssh-agent can be run in one of two ways. The first way is to enter eval ˜ssh-agent at the command line, which runs ssh-agent in the background and sets two environment variables for its use, SSH_AUTH_SOCK and SSH_AGENT_PID.

[sshuser@server.example.com]$ eval 'ssh-agent'
        Agent pid 19401
        [sshuser@server.example.com]$ echo $SSH_AGENT_PID
        19401
        [sshuser@server.example.com]$ echo $SSH_AUTH_SOCK
        /tmp/ssh-XXZCgt5e/agent.19401
        [sshuser@server.example.com]$

The second way to run ssh-agent is to supply a program name - typically a shell “ as a command line option. When you run ssh-agent this way, that program will be run with SSH_AUTH_SOCK and SSH_AGENT_PID already set.

[sshuser@server.example.com]$ ssh-agent /bin/bash
        [sshuser@server.example.com]$ echo $SSH_AGENT_PID
        1272
        [sshuser@server.example.com]$ echo $SSH_AUTH_SOCK
        /tmp/ssh-XXZCgt5e/agent.1271
        [sshuser@server.example.com]$

• Once ssh-agent has started up successfully, you need to add the private keys into memory. This is done using the ssh-add program as follows :

  [sshuser@server.example.com]$ ssh-add
          Enter passphrase for /home/sshuser/.ssh/id_rsa:
          Identity added: /home/sshuser/.ssh/id_rsa (/home/sshuser/.ssh/id_rsa)
          [sshuser@server.example.com]$
  

When given no arguments, the ssh-add program looks for the files .ssh/id_rsa , .ssh/id_dsa and .ssh/identity in the home directory of the user and adds the private keys in these files into memory.

Alternatively, ssh-add accepts a filename as an argument. The filename specified is expected to contain the private-keys which ssh-add will load into memory.

If a private key requires a passphrase to decrypt it, ssh-add will prompt the user for the passphrase. If the passphrase is entered correctly, the private key will be stored in memory.

Action 4.5.2: Verify the private keys are in memory

Once the private keys have been loaded into memory, it may be helpful to verify that they are really there. This can be done using the “l option. This option will display all private keys that are currently in memory:

[sshuser@server.example.com]$ ssh-add -l
        1024 5b:62:e3:14:80:72:e0:58:03:36:29:52:29:90:a9:04 /home/sshuser/.ssh/id_rsa (RSA)
        [sshuser@server.example.com]$