DevInTheMiddle_

SSH is nice with you

Published on Nov 24, 2020

We come back to the password and public key authentication topic because I know that you are already annoyed by typing the passphrase of your private key every time you connect to a remote host.

Because you put a passphrase, right?!

Yes, I trust you and I know that are so good that you put a passphrase on your private key. In case you didn't, you can always try to add it following the steps of the previous article.

SSH agent is the "key"

If you use ssh often, you quickly realize that typing your passphrase every time you connect to a remote host gets annoying.

SSH is nice with you, it offers a solution to that: ssh-agent!

The ssh-agent is a program that keeps track of user's identity keys and their passphrases.

The SSH agent is used for SSH public key authentication. It uses SSH keys for authentication. Users can create SSH keys using the ssh-keygen command and install them on servers using the ssh-copy-id command.

Another useful thing is that if the server allows it, you can forward your agent to the server, and it will use your local agent remotely so that you can connect to other hosts with your key, without the need to copy the key on the remote server.

Windows users, don't worry, thanks to Microsoft, finally with PowerShell most of the ssh commands will work also there. And yes, ssh-agent is available also on PowerShell \m/...(>.<)…\m/

Run the agent

Open a shell and run

$ eval $(ssh-agent)
Agent pid 11935

This will run the agent on the shell you opened, not globally.

If you want to run the agent globally, and you are logged in a graphical session, arrange to start ssh-agent during your session start-up. Some distributions already do that for you. If yours doesn't, arrange to run ssh-agent from your session start-up script or from your window manager. How do do that depends on your desktop environment and your window manager.

Another solution will be to run the following command:

$ eval $(ssh-agent | tee $HOME/.ssh/agent.env)
Agent pid 11957

so that when you run it, it will create the file agent.env in your .ssh directory, and remember to adjust the access rights:

$ chmod go-rwx $HOME/.ssh/agent.env

At this point, when you open a new terminal you just need to source the file:

$ source $HOME/.ssh/agent.env 
Agent pid 11957

Adding your key to the agent

To add one of your identities to the agent, just run:

$ ssh-add -t 9h
Enter passphrase for /home/fabio/.ssh/id_ed25519: 
Identity added: /home/fabio/.ssh/id_ed25519 (fabio@zambroid.ch)
Lifetime set to 32400 seconds

It will require your passphrase only once, and until the agent will be running, you will not be required to insert your passphrase again.

As you can see, I added -t 9h option. This because I want that after 9 hours (my usual working time), it will remove my identity from the agent, and I will need to re-add it the next day. This for two reasons:

  1. in this way I cannot forget my passphrase
  2. I am sure that the agent is "clean" when I leave my desk to go back home.

Adding a specific identity

If you have different keys, and you need to add a specific one, you can use the following command:

$ ssh-add /home/fabio/.ssh/id_ed25519 -t 9h

List the added identities

In case you added multiple keys to your agent you can list all of them simply with:

$ ssh-add -l

This command will show you all the keys you added with the SHA256 hash, or you can use

$ ssh-add -L

And it will display the corresponding public key.

Deleting added identities

When an identity is no more needed you can delete it:

$ ssh-add -d /home/fabio/.ssh/id_ed25519
Identity removed: /home/fabio/.ssh/id_ed25519 (fabio@zambroid.ch)

Or if you want to clean all the keys:

$ ssh-add -D
All identities removed.

ssh-copy-id

One important thing I forgot to mention in the first article is the powerful ssh-copy-id command. This command allows you to easily append your public key to the authorized_keys of your user on the destination server:

$ ssh-copy-id user@your.server.com
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@your.server.com's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@your.server.com'"
and check to make sure that only the key(s) you wanted were added.

If your key is already present, the command will tell you and nothing will happen on the server side.

If you are unsure, you can always test it with -n option, to make a dry run:

$ ssh-copy-id user@your.server.com -n
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
=-=-=-=-=-=-=-=
Would have added the following key(s):

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB1uvH/HM2Dnw0sbW+oIEfJXVy3/WLPk0b2sUTbxvBT fabio@zambroid.ch
=-=-=-=-=-=-=-=

Written by

Fabio Zambrino

GitHub •  Fingerprint

Senior System Engineer with a genuine passion for Information Security. Making professional mistakes since 2005.
Thinks of himself to be a real Security Guru... But always forget to lock the car!