<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>

Passphrase for ssh-keys

When our public key, private key etc. can be used to access some sensitive information that it makes sense to protect our keys with some passphrase. If you already have keys without passphrase then you can set passphrase for them using

   ssh-keygen -p

The same command can be used to change passphrase for existing keys.

Using agent for authentication

Now when one uses key based authentication he/she is asked for passphrase for key based authentication to work. If we are going to use key based authentication a lot then this asking of passphrase so many times can be irritating. To solve that problem replace current shell with ssh-agent using:

   exec $(which ssh-agent) $SHELL

then use

   ssh-add

command and enter passphrase only once. Now shell would remember the passphrase and you can ssh to various servers with keys protected by passphrase without requiring to enter passphrase for each login. ssh-agent started in this manner automatically closes whenever shell exits, so we do not have to worry about security problems because of added keys once we have exited shell.

To execute ssh-agent automatically on remote machines during SSH use:

    eval `ssh-agent -s`

in ~/.bashrc. This was learned from http://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent

Using Agent Forwarding for convenient ssh from remote machines

Consider situation where Client C1 has key based access to servers S1 and S2. Now if client tries to connect to S1 using SSH the agent can authorized the client and connection would get established without needing any password. But now if client tries to SSH to S2 from S1 then client would be forced to enter password as the clients key located on C1 is not automatically used by S1. To use C1's key while C1 is connected to S1, one can use 'ForwardAgent' option such as:

ssh -X root@<S1> -o 'ForwardAgent=yes'

This assumes two things:

• authorized_keys file on S1 does not restricts agent-forwarding. See Configuring authorized_keys file for public key based access
• connection to S1 is established using agent after using 'exec $(which ssh-agent) $SHELL' and 'ssh-add' and not directly.

Now if client tries to SSH to S2 then the keys located on clients machine can be used for authentication with the help of a local agent. More information on this can be read from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

Obtaining fingerprint of existing keys

To obtain fingerprint of existing keys use:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>