Create the SSH DSA key pair on ares and copy the public key on bob.
g0@ares:~$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/g0/.ssh/id_dsa): Created directory '/home/g0/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/g0/.ssh/id_dsa. Your public key has been saved in /home/g0/.ssh/id_dsa.pub. The key fingerprint is: 88:5a:f3:75:ed:c3:92:ed:04:a0:bf:bc:d7:e9:7c:68 g0@ares The key's randomart image is: +--[ DSA 1024]----+ | | | | | . | | . o . . | | + o S o . | | o + o . = | | . . . oo*. | | . +E*+. | | ++ o+ | +-----------------+ g0@ares:~$ ls -a .ssh . .. id_dsa id_dsa.pub g0@ares:~$ scp ~/.ssh/id_dsa.pub bob:~/.ssh/authorized_keys2 g0@bob 's password: id_dsa.pub
Since g0 is sharing this box with the rest of the noc he needs to make sure that the rest of the simple users cannot read his private key.
g0@ares:~$ ls -l .ssh/id_dsa -rw------- 1 g0 g0 736 2011-11-06 11:12 .ssh/id_dsaOK, cool. For similar reasons g0 's .ssh directory on bob does not need to be writable by anyone else.
Now we can start the ssh-agent.
The ssh-agent will use g0's private key to authenticate as g0@bob for the rest of this login session.
g0@ares:~$ ssh-agent sh -c 'ssh-add /home/g0/.ssh/id_dsa && bash' Enter passphrase for /home/g0/.ssh/id_dsa: Identity added: /home/g0/.ssh/id_dsa (/home/g0/.ssh/id_dsa) g0@ares:~$ssh bob Welcome to Bob g0@bob:~$exit Connection to bob closed. g0@ares:~$ssh bob Welcome to Bob g0@bob:~$ exit Connection to bob closed. g0@ares:~$
Aften entering the passphrase for the private key g0 can ssh to bob with no password for the rest of this login session or until he kills the ssh-agent.
The ssh-agent runs on the background managing the private key(s) (identities) of g0 and its Process ID is accessible through an environment variable.
g0@ares:~$ ps fuax |grep ssh-agent|grep -v grep g0 23903 0.0 0.0 11936 612 ? Ss 12:44 0:00 \_ ssh-agent sh -c ssh-add /home/g0/.ssh/id_dsa && bash g@ares:~$ echo $SSH_AGENT_PID 23903
ssh-add can be used to list the identities currently held by ssh-agent.
g0@ares:~$ ssh-add -ls 1024 88:5a:f3:75:ed:c3:32:ed:04:a0:bf:bc:d7:e9:7c:68 /home/g0/.ssh/id_dsa (DSA)
To kill the ssh-agent --disable passwordless ssh and scp to bob on this login session.
g0@ares:~$ ssh-agent -k unset SSH_AUTH_SOCK; unset SSH_AGENT_PID; echo Agent pid 23903 killed; g0@ares:~$
If we need to automate some ssh or scp task we could use Expect, or Expect.pm with Perl, or not enter a passphrase when we generate the key pair, or generate a single purpose key pair with no passphrase.
To create a single purpose key we generate a rsa key pair without entering a passphrase.
g0@ares:~$ ssh-keygen -t rsa -b 4098 -f .ssh/jw Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in .ssh/jw. Your public key has been saved in .ssh/jw.pub. The key fingerprint is: f2:2c:6a:b2:9a:14:f6:f9:95:b8:7f:02:ee:80:6a:dc g0@ares The key's randomart image is: +--[ RSA 4098]----+ | | | | | | | | | o . S | |. + ...+. | |.o.+..ooo | |o+.E+ooo . | |=..+o+..o | +-----------------+
Then we prepend the purpose (command) and some ssh options on a the public key .
In order to create a custom key that enables him to run just w on bob g0 will do the following.
g0@ares:~$ echo -n "command=\"/usr/bin/w\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc " > tmp g0@ares:~$ cat .ssh/jw.pub >> tmpCool now g0 has on tmp the command w,some ssh options,and a public key.
Since, this is an RSA key he will need append it to the .ssh/authorized_keys on bob.
g0@ares:~$ cat tmp|ssh -p 9999 ipduh.com 'sh -c "cat - >>~/.ssh/authorized_keys"' Enter passphrase for key '/home/g0/.ssh/id_dsa':
g0 had to use the id_dsa passphrase since he did not have ssh-agent running.
Now, let's look w on bob from ares.
g0@ares:~$ ssh -i .ssh/jw bob 19:18:17 up 194 days, 6:21, 1 user, load average: 1.15, 1.05, 1.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT g0 pts/0 ares 19:18 0.00s 0.01s 0.01s /usr/bin/w Connection to bob closed.
g0 just had to set the identity --key he is going to use.