On Thu, Nov 16, 2000 at 07:08:12PM -0800, kmself@ix.netcom.com wrote: > on Thu, Nov 16, 2000 at 11:21:47AM -0700, Gary Hennigan (glhenni@sandia.gov) wrote: > > "Gary Hennigan" <glhenni@sandia.gov> writes: > > > > Forgot 4) Run ssh-add at the beginning of your login session. > > Ok, can someone wap me with a cluestick here? What's ssh-add do? I > took a quick look at the manpage, but it's not immediately evident. Is > it in any way analogous to, say, 'sudo -v', which will enable (or > update) the sudo timestamp to allow passwordless access to priviledged > commands? not really, ssh-add works in conjunction with ssh-agent, basically what you do is this: run ssh-agent bash which creates a unix domain socket at /tmp/ssh-garbage/agent.PID and puts this path into the SSH_AUTH_SOCK environment variable of the shell it runs. ssh-add reads a ssh private key and asks you for the passphrase, when you give the passphrase it stores a decrypted copy of the key in ssh-agents memory and its then available via the socket in /tmp (it might be the passphrase rather the key im not sure) when you run ssh it notices the SSH_AUTH_SOCK variable and reads the key from the socket and asks the server if the key can be used for authentication (by sending the comment string) if so the server encrypts a random token with the public key found on the remote authorized_keys file and sends it, the local ssh uses the key read from the socket to decrypt and send the token back so the server knows you must be have the secret half of the public key. (regular RSA auth) for scripts you can do one of two things: run ssh -i /where/ever/.ssh/identity hostname with a passwordless keyfile or create a shell script like so: #! /usr/bin/ssh-agent /bin/sh ssh-add /where/ever/.ssh/identity < /dev/null > /dev/null 2>&1 however you still need a passwordless key since ssh-add needs to ask the passphrase if one is required. the ssh-agent shell script trick is useful for things like dump which runs ssh in its own way that you cannot control (you can't add the -i switch) ssh-agent is mostly useful for replicating the old rsh .rhosts passwordless access to various hosts, only doing it much more securely. you run ssh-agent, add your key[s] and never have to enter passwords or passphrases again until you end the session. scp is unusable without ssh-agent IMO. debian's Xsession runs ssh-agent automatically so all you need to do to enable it is add: export SSH_ASKPASS=/usr/bin/ssh-askpass [ -n "$SSH_AUTH_SOCK" ] && chmod 600 "$SSH_AUTH_SOCK" sleep 4 && /usr/bin/ssh-add ~/.ssh/identity & to your ~/.xsession this puts up a graphical password dialog to ask the passphrase. the chmod hack i also put in my .bashrc since ssh-agent creates the socket with permissions masked against your umask which can leave it world readable, it only makes sure to create the directory mode 700. i think both files should be protected. relying on `gate' directories is not safe IMO. note that ssh-agent does give root a very easy way to gain access to your ssh keys, so don't use it unless you totally trust root (though root can do other things to get your key, such as trojaning ssh) with ssh-agent all root need to is: # SSH_AUTH_SOCK=/tmp/ssh-random/agent.pid ssh hostname where ssh-random is the ssh agent directory you own. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpE9ABFYtllB.pgp
Description: PGP signature