Re: ssh (again)

To: Zed Pobre <zed@moebius.interdestination.com>
Cc: Debian Mentors <debian-mentors@lists.debian.org>
Subject: Re: ssh (again)
From: Daniel Martin at cush <dtm12@jhunix.hcf.jhu.edu>
Date: Mon, 06 Apr 1998 19:33:53 -0400
Message-id: <[🔎] 87iuomcyou.fsf@cush.dyn.ml.org>
In-reply-to: Zed Pobre's message of "Mon, 6 Apr 1998 16:11:23 -0500 (CDT)"
References: <[🔎] Pine.LNX.3.96.980406160305.5453A-100000@moebius.interdestination.net>

Zed Pobre <zed@moebius.interdestination.com> writes:

>     Okay, I've checked the archives, followed the instructions, and I
> still can't get it working.  What I did (as best I can remember):
> 
>     On my local machine, did ssh-keygen, stored the files in
> .ssh/identity and .ssh/identity.pub.
> 
>     Telnetted to master.  Created ~/.ssh.  chmod 700 .ssh  
>     cd .ssh
>     FTP back to my local machine, set binary mode, get identity.pub out
> of the .ssh directory.  
>     mv identity.pub authorized_keys
>     chmod 600 authorized_keys
> 
> 
>     ssh -v master from the local machine results in this:
> 
<SNIP>
> moebius: Trying RSA authentication with key 'zed@moebius'
> moebius: Received RSA challenge from server.
> Enter passphrase for RSA key 'zed@moebius': 
> 
>     where as you can see it ends up asking me for my passphrase (which I
> gather it isn't supposed to do).  There's no difference if I use slogin
> master instead of ssh master.  Did I miss a step somewhere?

Here's the deal - when you generated the public/private keypair with
ssh-keygen you had the option of giving a passphrase required to
unlock the secret key half of that keypair.  If you were so certain of
your own system's security that you didn't add a passphrase to that
public/private keypair, then you wouldn't get asked here.  (the prompt
here is for the passphrase created with ssh-keygen, not for some
password on master) In that case, however, someone who stole your
secret key file could access your account on master - not a desireable
thing.

So, ok, you've decided that your secret key file has to be protected
with a passphrase so that if you get hacked the hacker doesn't
automatically have access to your account on master.  But isn't it
possible to just enter the passphrase once and be done with it?  Yes,
it is.  The answer lies in the programs ssh-agent and ssh-add.

The idea is that ssh-agent is run as a background process and stores
the identies (i.e. the secret keys) of a user in an unencrypted
fashion; secret keys are added by the user with ssh-add (which does
prompt for a passphrase), and ssh (and scp, etc.) will then use these
secret keys, never prompting the user for a passphrase.  The end
result is that the user need enter the passphrase for a given secret
key only once.

The best way to run ssh-agent is probably something like this:
In your .xsession, assuming that you just have a line which says 
exec whateverwm
replace it with:
exec ssh-agent whateverwm

(If you don't have a .xsession, you should make one)

This will then make it so that any processes started by your window
manager (which, unless you use something like tkdesk and start it from 
your .xsession, should be every X app you run).  Now, you still need
to run ssh-add at some point - I suggest either get used to typing it
in every time you log back in to X, or put ssh-add in your window
managers init function.  (This is easy to do with fvwm2, and will be
just as easy to with fvwm95 once I get my new version released; I
can't speak for other window managers).

Setting up ssh-agent and an automatic ssh-add for telnet and console
logins is left as an exercise for the reader.

--
To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- ssh (again)
  - From: Zed Pobre <zed@moebius.interdestination.com>

Prev by Date: ssh (again)
Next by Date: Debian jumpstart?
Previous by thread: ssh (again)
Next by thread: Debian jumpstart?
Index(es):
- Date
- Thread