SDB:OpenSSH agent

Jump to: navigation, search
Icon-obsolete.png
This article or section refers to the version '11.0' and it is now obsolete!
Please refer to this article's discussion page for more information.
The SSH agent can provide you with both an easy and secure way of using public key authentication with SSH. It allows you to still use password-less remote SSH logins, while having your public keys locked by a password. This article explains the principle and use of the ssh-agent program.

Tested on openSUSE

Icon-checked.png

Recommended articles

How it works

When ssh-agent is started, it will accept the input of new keys and provides these keys again trough a socket. This socket is only available for sub-processes of ssh-agent. This means ssh-agent must be invoked with another command as argument. This can be a shell or your complete X desktop. After ssh-agent is started, the program ssh-add can be used to add your private keys to the ssh-agent.

Basic invocation

In the following example ssh-agent is started from the command line, with bash as argument. This starts a bash session inside your current one, with ssh-agent in the background.

$ ssh-agent bash

Ssh-agent will keep running, until the sub shell bash is closed.

$ exit

This will terminate the bash session and ssh-agent.

Add your keys

You can use ssh-add to send your keys to the agent. Ssh-add only works if it can find the open socket. So it has to be executed in a sub shell of ssh-agent, like in the example above.

$ ssh-add

This command will look for the files ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/identity and automatic add them. You will be prompted for your key's password if one is set. (That's usually the reason why one would choose to use ssh-agent.) The ssh-add command must be executed every time the ssh-agent is started.


Automatic starting

There are two ways of automatic starting: by means of a custom xsession or by PAM

If a custom xsession is used:
Icon-checked.png You can let your keys expire after some time. After this time they have to be re-opened again with ssh-add.
Icon-checked.png You can set up user-specific scripts for loading ssh-agent and your Desktop environment.
Icon-checked.png You can automaticly load custom named keys by changing the ssh-add syntax in your scripts.
Icon-cross.png Auto starting the ssh-agent only happens for this custom session. If you login to any other Desktop environment or shell, you will need to load the agent manually, or let it load trough a specific rc script like. ~/.bashrc
Icon-cross.png If you want to change to an other desktop environment and still auto-load ssh-agent, you will need to modify your .xsession script, instead of simply selecting an other session in your login display.
Icon-cross.png You will have to create a separate .xsession file for every user that needs to make use of the ssh-agent
Icon-cross.png When a user logs in, he has to type an additional password for the keys, for which he will be prompted.

If PAM is used:
Icon-checked.png Ssh-agent will be started for any way of login. (Desktop environments and shell)
Icon-checked.png Ssh-agent will be started for every user upon login.
Icon-checked.png You can login using the password set for your private key, meaning you only need to type a single password.
Icon-checked.png You can choose not to start the agent, by typing your system password instead of the key's password.
Icon-cross.png Keys can not be set to expire, so you need to lock your screen if you want to prevent someone to use your keys. (Yet they cannot steal it to put it on there own system)
Icon-cross.png Only default named keys can be loaded automatic, and this will be only the key where you entered the password for.


Custom xsession

If you choose to set up a custom xsession, the following package need to be installed:

  • openssh (is already installed by default in openSUSE)
  • openssh-askpass (Mandatory)
  • ksshaskpass (Optional of KDE users)
  • openssh-askpass-gnome (Optional for GNOME users)

To check which ssh related packages are installed, type the following command:

$ zypper se ssh
S | Name                           | Summary                                                 | Type      
--+--------------------------------+---------------------------------------------------------+-----------
  | ksshaskpass                    | A KDE 4 version of ssh-askpass with KWallet support     | package   
i | openssh                        | Secure Shell Client and Server (Remote Login Program)   | package   
  | openssh-askpass                | A passphrase dialog for OpenSSH and the X Window System | package   
  | openssh-askpass-gnome          | A GNOME-Based Passphrase Dialog for OpenSSH             | package   

If necessary, install additional packages as root:

$ zypper in openssh-askpass ksshaskpass

Creating .xsession

Now you have to create the xsession script file. This should be saved ~/.xsession and should be executable. Open an editor as regular user.

This .xsession sample script loads your default keys (id_rsa, id_dsa, identity) automatic and they will not expire. After that KDE is started.

#!/bin/bash

ssh-agent {
  ssh-add &
  startkde
}

The following sample script loads custom keys, which will expire after 1 hour and it will start the GNOME desktop:

#!/bin/bash

ssh-agent {
  ssh-add -t 1h ~/.ssh/custom_key ~/.ssh/extra_key &
  gnome-session
}

After typing your script, save and exit your editor and make ~/.xsession executable.

$ chmod +x ~/.xsession

Running your custom xsession

If you now would logout or reboot your system, you will see your Login screen. This can by KDM, GDM, LXDM or any other kind of DM. In this DM you can choose which desktop environment should be loaded for this session. You should choose custom here. Custom runs the earlier created ~/.xsession script upon login.

When your desktop environment is loaded, you should be prompted by a ssh-askpass dialogue, where you can enter the password(s) of your key(s). Upon success your keys will be unlocked and you can now login to your remote host, without having to use any passwords

If you failed to provide a valid password, ssh-askpass will close without adding the keys to your agent. If you would like to try again, you can run ssh-add from the command line and supply your password there.

Setting PAM

Icon-warning.png
Warning: The sections below have not been tested and are probably not correct for current OpenSUSE versions. This article is currently being re-written. Please check the discussion page for more info.

Edit /etc/pam.d/xdm as root

$> su $> vi /etc/pam.d/xdm


and add the following lines:

 #%PAM-1.0
 auth     sufficient     pam_ssh.so
 auth     include        common-auth
 account  include        common-account
 password include        common-password
 session  include        common-session
 session  required       pam_ssh.so
 session  required       pam_devperm.so
 session  required       pam_resmgr.so

This will allow you to authenticate in KDM and GDM with your SSH passphrase and use it for starting the ssh-agent. No other changes are needed.

In case that in the system users cannot use the SSH authentications (because for example, they do not have an SSH passprhase), the X server will not start. For that reason, you may change the line

session  required       pam_ssh.so

to

session  sufficient     pam_ssh.so