SDB:OpenSSH agent
Please refer to this article's discussion page for more information.
Tested on openSUSE
Recommended articles
Related articles
How it works
When ssh-agent is started, it will accept the input of new keys and provides these keys again trough a socket. This socket is only available for sub-processes of ssh-agent. This means ssh-agent must be invoked with another command as argument. This can be a shell or your complete X desktop. After ssh-agent is started, the program ssh-add can be used to add your private keys to the ssh-agent.
Basic invocation
In the following example ssh-agent is started from the command line, with bash as argument. This starts a bash session inside your current one, with ssh-agent in the background.
Ssh-agent will keep running, until the sub shell bash is closed.
This will terminate the bash session and ssh-agent.
Add your keys
You can use ssh-add to send your keys to the agent. Ssh-add only works if it can find the open socket. So it has to be executed in a sub shell of ssh-agent, like in the example above.
This command will look for the files ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/identity and automatic add them. You will be prompted for your key's password if one is set. (That's usually the reason why one would choose to use ssh-agent.) The ssh-add command must be executed every time the ssh-agent is started.
Automatic starting
There are two ways of automatic starting: by means of a custom xsession or by PAM
If a custom xsession is used:
You can let your keys expire after some time. After this time they have to be re-opened again with ssh-add.
You can set up user-specific scripts for loading ssh-agent and your Desktop environment.
You can automaticly load custom named keys by changing the ssh-add syntax in your scripts.
Auto starting the ssh-agent only happens for this custom session. If you login to any other Desktop environment or shell, you will need to load the agent manually, or let it load trough a specific rc script like. ~/.bashrc
If you want to change to an other desktop environment and still auto-load ssh-agent, you will need to modify your .xsession script, instead of simply selecting an other session in your login display.
You will have to create a separate .xsession file for every user that needs to make use of the ssh-agent
When a user logs in, he has to type an additional password for the keys, for which he will be prompted.
If PAM is used:
Ssh-agent will be started for any way of login. (Desktop environments and shell)
Ssh-agent will be started for every user upon login.
You can login using the password set for your private key, meaning you only need to type a single password.
You can choose not to start the agent, by typing your system password instead of the key's password.
Keys can not be set to expire, so you need to lock your screen if you want to prevent someone to use your keys. (Yet they cannot steal it to put it on there own system)
Only default named keys can be loaded automatic, and this will be only the key where you entered the password for.
Custom xsession
If you choose to set up a custom xsession, the following package need to be installed:
- openssh (is already installed by default in openSUSE)
- openssh-askpass (Mandatory)
- ksshaskpass (Optional of KDE users)
- openssh-askpass-gnome (Optional for GNOME users)
To check which ssh related packages are installed, type the following command:
S | Name | Summary | Type --+--------------------------------+---------------------------------------------------------+----------- | ksshaskpass | A KDE 4 version of ssh-askpass with KWallet support | package i | openssh | Secure Shell Client and Server (Remote Login Program) | package | openssh-askpass | A passphrase dialog for OpenSSH and the X Window System | package | openssh-askpass-gnome | A GNOME-Based Passphrase Dialog for OpenSSH | package
If necessary, install additional packages as root:
Creating .xsession
Now you have to create the xsession script file. This should be saved ~/.xsession and should be executable. Open an editor as regular user.
This .xsession sample script loads your default keys (id_rsa, id_dsa, identity) automatic and they will not expire. After that KDE is started.
#!/bin/bash
ssh-agent {
ssh-add &
startkde
}
The following sample script loads custom keys, which will expire after 1 hour and it will start the GNOME desktop:
#!/bin/bash
ssh-agent {
ssh-add -t 1h ~/.ssh/custom_key ~/.ssh/extra_key &
gnome-session
}
After typing your script, save and exit your editor and make ~/.xsession executable.
Running your custom xsession
If you now would logout or reboot your system, you will see your Login screen. This can by KDM, GDM, LXDM or any other kind of DM. In this DM you can choose which desktop environment should be loaded for this session. You should choose custom here. Custom runs the earlier created ~/.xsession script upon login.
When your desktop environment is loaded, you should be prompted by a ssh-askpass dialogue, where you can enter the password(s) of your key(s). Upon success your keys will be unlocked and you can now login to your remote host, without having to use any passwords
If you failed to provide a valid password, ssh-askpass will close without adding the keys to your agent. If you would like to try again, you can run ssh-add from the command line and supply your password there.
Setting PAM
Edit /etc/pam.d/xdm as root
and add the following lines:
#%PAM-1.0 auth sufficient pam_ssh.so auth include common-auth account include common-account password include common-password session include common-session session required pam_ssh.so session required pam_devperm.so session required pam_resmgr.so
This will allow you to authenticate in KDM and GDM with your SSH passphrase and use it for starting the ssh-agent. No other changes are needed.
In case that in the system users cannot use the SSH authentications (because for example, they do not have an SSH passprhase), the X server will not start. For that reason, you may change the line
session required pam_ssh.so
to
session sufficient pam_ssh.so