Recipe 6.9 Authenticating Without a Password (Interactively)

Previous page
Table of content
Next page

6.9.1 Problem

You want to authenticate without typing a password or passphrase.

6.9.2 Solution

Use ssh-agent, invoking it within backticks as shown:

$ eval `ssh-agent`

Add your keys to the agent using ssh-add:

$ ssh-add Enter passphrase for /home/smith/.ssh/id_dsa: ********

Then log in using public-key authentication and you won't be prompted for a passphrase: [Recipe 6.4]

$ ssh -l remoteuser remotehost

Some Linux distributions automatically run ssh-agent when you log in under an X session manager. In this case just skip the ssh-agent invocation.

6.9.3 Discussion

The SSH agent, controlled by the programs ssh-agent and ssh-add, maintains a cache of private keys on your local (client) machine. You load keys into the agent, typing their passphrases to decrypt them. SSH clients (ssh, scp, sftp) then query the agent transparently about keys, rather than prompting you for a passphrase.

The invocation of ssh-agent might look a little odd with the eval and backticks:

$ eval `ssh-agent`

but it is necessary because ssh-agent prints several commands on the standard output that set environment variables when run. To view these commands for testing, run ssh-agent alone:

$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-XXNe6NhE/agent.13583; export SSH_AUTH_SOCK; SSH_AGENT_PID=13584; export SSH_AGENT_PID; echo Agent pid 13584;

and then kill it manually (kill 13584).[2]

[2] In this case, you cannot kill the agent with ssh-agent -k because the environment variables aren't set.

ssh-add, invoked with no command-line arguments, adds your default keys to the cache. To add a selected key, simply list it:

$ ssh-add ~/.ssh/other_key

Removing keys is done like this:

Remove one key: $ ssh-add -d ~/.ssh/other_key Remove all keys: $ ssh-add -D

A tempting but naive alternative to ssh-agent is a key with an empty passphrase, called a plaintext key. If you authenticate with this key, indeed, no passphrase is needed . . . but this is risky! If a cracker steals your plaintext key, he can immediately impersonate you on every machine that contains the corresponding public key.

For interactive use, there is no reason to use a plaintext key. It's like putting your login password into a file named password.here.please.steal.me. Don't do it. Use ssh-agent instead.

Another way to avoid passphrases is to use hostbased (trusted host) authentication [Recipe 6.8], but for interactive use we recommend public-key authentication with ssh-agent as inherently more secure.

6.9.4 See Also

ssh-agent(1), ssh-add(1).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
C++ GUI Programming with Qt 3
MySQL Cookbook
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy