Automate a Remote Login Using SSH-Agent

When it comes to remote logins, SSH is a wonderful tool. Not only is it secure, it supports public/private key logins. Depending on public and private keys mean even if someone gets your password, without your private key it won't do them any good (and vice versa).

However, if you've ever wanted to automate a remote login or to copy some files for backup purposes, you know that it's not easy to do an SSH login without a password.

The easiest option would be creating a key pair without a password. Easy, yes. But this is one of the worst ideas you could implement. It effectively destroys one of the primary benefits of using SSH since taking control of the local machine can potentially give an attacker instant and easy access to your remote machine as well -- two for the price of one.

The far better option is to use ssh-agent, which is far more secure and doesn't require you to abandon the added protection of using a password with your SSH keys.

Unfortunately ssh-agent can be intimidating for newcomers and using it varies somewhat according to the operating system you use.

But fear not my fellow monkeys. Roll up your sleeves, grab a strong cup of coffee and we'll wade through ssh-agent. Bear in mind that we'll be using OpenSSH 2.0. If you're stuck with a host that uses v1, you'll need to make some adjustments.

What is SSH-Agent

OpenSSH, which ships with Mac OS X, most Linux distros and can even be installed on Windows via the CygWin toolset, has a number of lesser known helper components like ssh-agent.

Ssh-agent acts as a broker which can store and manage private keys on your PC and, most importantly, responding to requests from remote systems to verify your keys. Whenever you login to your machine, you enter your password which gives ssh-agent permission to store your keys.

For that point on ssh-agent can handle the authentication requests from remote public keys without requiring you to unlock them each time with a password. It's important to understand that, behind the scenes, private keys never leave the agent. In other words they can't be snatched out by attackers.

So to start the ssh-agent, just run it by typing in "ssh-agent" from the command line like so:

$ ssh-agent

Your terminal window will then spit back something looking like:

SSH_AUTH_SOCK=/tmp/ssh-GCYVyDA3sj/agent.9551; export SSH_AUTH_SOCK;
SSH_AGENT_PID=9552; export SSH_AGENT_PID;
echo Agent pid 9552;

Okay, so now we know how to access it. How do we use it for secure, password-less remote logins?

Create Your SSH Key Pair

The first step to using ssh-agent is to create an SSH key pair. To do that just run this command:

ssh-keygen -t rsa

When prompted for a password, choose something decently long and secure.

When SSH is done you should see a message like:

Your identification has been saved in /home/yourusername/.ssh/id_rsa.
Your public key has been saved in /home/yourusername/.ssh/id_rsa.pub.

Now we need to add the public key (id_rsa.pub) to our web server. You can head in to the web server via FTP and cut and paste the info into ~/.ssh/authorized_keys. Even better, since you're still in the shell, try this line, substituting your login info:

cat ~/.ssh/id_rsa.pub | ssh username@server.com 'cat >> .ssh/authorized_keys'

You will add the SSH key we just generated to your webserver's list of authorized keys, which means you can now log in to your remote server from your home machine using the key pair rather than just a password.

Note: If your remote server is running an older version of ssh, you may have to use the ~/.ssh/authorized_keys2 file.

Try connecting to your remote server and you should see a message like this:

Enter passphrase for RSA key 'you@example.com':

If not, check with your hosting company and see if there's something peculiar about its setup. You'll have to adjust your setup according to your host's idiosyncracies.

Starting SSH-Agent

So I know what you're thinking: I just told you we'd bypass the password login, but we just added a password to our key pair. What's up with that?

This is where ssh-agent comes to our aid.

The first thing you'll want to do is make sure that ssh-agent starts up whenever you login to your PC. As it turns out, this is one of the trickiest parts.

Linux

Most Debian Linux variants (like Ubuntu) start ssh-agent automatically at login. If not, don't worry. You just need to add a line to your .xsession file (if you're not a gnome user, just substitute the windows manager of your choice):

ssh-agent gnome-session

If Debian isn't your bag, check out the ssh-agent tutorial on the Gentoo wiki.

Mac OS X

On Mac OS X 10.5 Leopard, ssh-agent already has the ability to use Keychain to store keys. For Mac OS X 10.4 Tiger and earlier, there are two graphical programs which can handle the task for you (as well as some additional key management tasks). Check out SSH Agent or SSHKeychain.

Windows

For Windows users the situation is more complex. The most popular method seems to use PuTTY, a package of programs for remote shells/logins (making it easy to use ssh, telnet, scp, etc..). Setting up PuTTY for automated public/private key logins is pretty easy, but can be daunting to new users. With the uninitiated in mind, I'll try to be as detailed and basic as I can with these steps.

1. Download and install PuTTY (preferably using the installer package)
2. Open PuTTYgen
3. Select SSH-2 RSA with 1024 bits in the key (pretty secure)
4. Click "Generate" and then move your mouse over the blank area of the window
5. Enter in the password you want for it (long and secure is better here)
6. Click "Save Public Key" (This will need to go into your authorized_keys file later)
7. Click "Save Private Key" (Save this to somewhere specific to your user, ie. "My Documents")
8. Add the Private Key file to the "Startup" submenu of the Start Menu

If all goes well, then everytime you login or bootup your private key will open in Pageant (the PuTTY SSH-Agent), prompting you to enter in yout password. This will be the one and only time you will need to do so for that session.

I wish I could say it stops there, but there are a few more steps left...

1. Open PuTTY
2. Select "Default Settings" and click "Load"
3. In the tree-like menu on the left select "Connection->SSH->Auth"
4. Click "Browse" and find your private key file, click OK
5. In the tree menu select "Session"
6. In the text box directly below "Saved Sessions" type "Default Settings" and click "Save"
7. Congratulations, now every new session you create will attempt to use your public/private key authentication

Thankfully, all this work is largely a one-time setup step.

Custom Scripts

Each of these methods should get ssh-agent up and running in graphical environments. In case you need to access ssh-agent without logging into a window system, you can manually set two environment variables: SSH_AUTH_SOCK and SSH_AGENT_PID.

To do this, we'll use a shell script we'll add to our shell login script. There are several ways you can do this, but the script I use comes from Mark A. Hershberger, who has three variations available in his tutorial on ssh-agent.

Here's the outline of the script, you may need to adjust the paths depending on your setup:

#!/bin/sh
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
	  eval `$SSHAGENT $SSHAGENTARGS`
  trap "kill $SSH_AGENT_PID" 0
fi

Add that script to your ~./profile startup script and you'll have ssh-agent access even without a graphical login.

Adding the Keys to SSH-Agent

Now we just need to add the keys we created earlier to ssh-agent. Thankfully it's a one liner:

ssh-add ~/.ssh/id_rsa

Type your password for the last time and now you should be able to perform remote logins without a password.

Test it out:

ssh username@example.com

Assuming that works you're good to go. The only thing to remember is that if you restart your machine you'll need to enter your password once to get the ssh-agent session started.

Tip: if you're running some cron scripts that do remote logins (one of the main points of ssh-agent) consider creating a separate key pair for those logins. It adds another layer of security and you can use the additional command argument in your authorized_keys file to limit what those logins can do (see [tutorial on remote backups] for more info on limiting script access.

Conclusion

So now we've securely overcome the old password problem for remote logins. If you're having trouble or want to learn more about ssh-agent, check out Mark Hershberger's tutorial. Be sure to read Steve Friedl's Illustrated Guide to SSH Agent Forwarding for more on how SSH and ssh-agent work.

• This page was last modified 15:08, 31 July 2008.