[11]In Unix, they talk to the agent over a named pipe whose filename is stored in an environment variable. [Section 6.3.2, "Starting an Agent"]
where SHELL is the environment variable containing the name of your login shell. Alternatively, you could supply the name of any other shell, such as sh, bash, csh, tcsh, or ksh. The agent runs and then invokes the given shell as a child process. The visual effect is simply that another shell prompt appears, but this shell has access to the agent. Once the agent is running, it's time to load private keys into it using the ssh-add program. By default, ssh-add loads the key from your default identity file:$ ssh-agent $SHELL
Now ssh and scp can connect to remote hosts without prompting for your passphrase. Figure 2-3 shows the process.$ ssh-add Need passphrase for /u/you/.ssh/identity ('Your Name <you@local.org>'). Enter passphrase: ************ Identity added: /u/you/.ssh/identity ('Your Name <you@local.org>').
[12]To force ssh-add to use X to read the passphrase, type ssh-add < /dev/null at a command line.ssh-add has further capabilities, particularly in SSH2, and can operate with multiple identity files. [Section 6.3.3, "Loading Keys with ssh-add"] For now, here are a few useful commands. To load a key other than your default identity into the agent, provide the filename as an argument to ssh-add:
You can also list the keys the agent currently holds:$ ssh-add my-other-key-file
delete a key from the agent:$ ssh-add -l
or delete all keys from the agent:$ ssh-add -d name-of-key-file
$ ssh-add -D
WARNING: When running an SSH agent, don't leave your terminal unattended while logged in. While your private keys are loaded in an agent, anyone may use your terminal to connect to any remote accounts accessible via those keys, without needing your passphrase! Even worse, a sophisticated intruder can extract your keys from the running agent and steal them. If you use an agent, make sure to lock your terminal if you leave it while logged in. You can also use ssh-add -D to clear your loaded keys and reload them when you return. In addition, ssh-agent2 has a "locking" feature that can protect it from unauthorized users. [Section 6.3.3, "Loading Keys with ssh-add"]
In fact, scp can copy a file from remote host shell.isp.com directly to a third host running SSH on which you have an account named, say, "psmith":$ scp pat@shell.isp.com:print-me imprime-moi
Rather than copying the file first to the local host and then back out again to the final destination, this command has shell.isp.com send it directly to other.host.net. However, if you try this, you will run into the following problem:$ scp pat@shell.isp.com:print-me psmith@other.host.net:imprime-moi
What happened? When you run scp on your local machine, it contacts shell.isp.com and internally invokes a second scp command to do the copy. Unfortunately, the second scp command also needs the passphrase for your private key. Since there is no terminal session to prompt for the passphrase, the second scp fails, causing the original scp to fail. The SSH agent solves this problem: the second scp command simply queries your local SSH agent, so no passphrase prompting is needed. The SSH agent also solves another more subtle problem in this example. Without the agent, the second scp (on shell.isp.com) needs access to your private key file, but the file is on your local machine. So you have to copy your private key file to shell.isp.com. This isn't ideal; what if shell.isp.com isn't a secure machine? Also, the solution doesn't scale: if you have a dozen different accounts, it is a maintenance headache to keep your private key file on all of them. Fortunately, the SSH agent comes to the rescue once again. The remote scp process simply contacts your local SSH agent, authenticates, and the secure copy proceeds successfully, through a process called agent forwarding.$ scp pat@shell.isp.com:print-me psmith@other.host.net:imprime-moi Enter passphrase for RSA key 'Your Name <you@local.org>': ************ You have no controlling tty and no DISPLAY. Cannot read passphrase. lost connection
[13]It is on by default in SSH1 and SSH2, but off in OpenSSH.
$ scp pat@shell.isp.com:print-me psmith@other.host.net:imprime-moi
2.4. Authentication by Cryptographic Key | 2.6. Connecting Without a Password or Passphrase |
Copyright © 2002 O'Reilly & Associates. All rights reserved.