- Ssh-agent
ssh-agent is a program that used together with
OpenSSH or similar ssh programs provides a secure way of storing the passphrase of the private key.Public-key cryptography plays the central role in the idea of logging in to a server from a local machine via SSH. The main point is that a key pair will be generated consisting of a private key and public key pair. The public key is available for everyone and often stored on public key servers. Any user has access to this key, whereas the private key must be kept secretly. It is used to decrypt any message encrypted with the public key.A normal authentication process by simply typing a password is vulnerable to brute force attacks. To cirumvent this lack of security ssh supports password authentication. In order to login securely to a remote system via a secure shell a private key/public key pair is generated. The private key is stored on the local machine. The public key is stored on the target machine in the $HOME/.ssh/authorized_keys file. Public keys are not sensitive information and may be known to anybody, whereas the private key needs to be protected very carefully by a strong passphrase. Using multiple servers is easier designed by using ssh agent. Ssh agent remembers the passphrase so that the user does not need to type it every time he wants to connect or send data to the server.
Principle
The verification to the server is based on
Challenge-response authentication . Ssh connects to the server with a user name and the request for a key. The ssh daemon gets the request and sends a challenge based on the public key stored in the authentication file back. Ssh uses the private key to construct a key response, and sends it to the waiting sshd on the other end of the connection. It does not send the private key itself.Ssh daemon validates the key response, and if valid, grants access to the system.Ssh-agent simplifies this by creating a socket that listens for SSH connections. You simply tell ssh-agent how to find your keys, enter the passphrase for each once, and then it handles the rest every time you connect to a remote server.Setting Up Ssh Agent
1. Use
ssh-keygen to generate a public key/private key pair.$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/usrname/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Use a passphrase Enter same passphrase again: Use a passphrase Your identification has been saved in /home/usrname/.ssh/id_dsa. Your public key has been saved in /home/usrname/.ssh/id_dsa.pub. $
2. The public key needs to be stored in the $HOME/.ssh/authorized_keys file on the remote machine. This can be done by using ssh.
$ ssh you@remote-system "cat >> ~/.ssh/authorized_keys" < ~/.ssh/id_dsa.pub
3. Now ssh-agent comes in the game. The first time used the passphrase needs to be entered once.
$ ssh-add .ssh/id_dsa Enter passphrase for .ssh/id_dsa: Identity added: .ssh/id_dsa (.ssh/id_ds)
ecurity issues
The ssh-agent creates a socket and then checks the connections from /usr/bin/ssh. Everyone who is able to connect to this socket has also access to the ssh-agent. The permissions are set as in a usual linux system. When the agent starts, it creates a new directory in /tmp/ with restrictive permissions the socket is located in the folder. Your agent keys are usable by the root user. However, they are only usable while the agent is running.
The root could use the agent to authenticate to the user accounts on other systems, but it doesn't provide direct access to the keys themselves. This means that the keys can't be taken off the machine and used from other locations indefinitely.
There is a possibility to ensure that no unwanted user is using the ssh-agent. If the -c option is set when the keys are imported in the ssh-agent, then the agent request a confirmation when started. Of course the root user still can access the window (X11) and manipulate it.It is important that the root user is trustworthy.
External links
* [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1 ssh-agent man page] from
OpenSSH release (part of theOpenBSD project).
* [http://www.phil.uu.nl/~xges/ssh/ SSH Agent tool for Mac OS X]
* [http://mah.everybody.org/docs/ssh "Using ssh-agent with ssh"]
* [http://www.unixwiz.net/techtips/ssh-agent-forwarding.html agent forwarding]
* [http://www.securityfocus.com/infocus/1812 security aspects]
Wikimedia Foundation. 2010.
