RE: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it....

• Previous message: Danny Con: "Bind problem"
• Maybe in reply to: Wright, Gary: "Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it...."
• Next in thread: Galen Johnson: "Re: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Wright, Gary'" <Gary.Wright@uk.experian.com>, "'secureshell@securityfocus.com'" <secureshell@securityfocus.com>
Date: Fri, 20 Jun 2003 08:40:34 -0400

Gary, etal,

The ssh-agent will indeed hold keys for use by ssh related programs. The
problem you are hitting is running MULTIPLE copies of the agent, each with
its' own copy of the key available only to the calling session and children.

The key to what you want to accomplish is to make sure a SINGLE agent is
available to all ssh related programs run by the user. When the ssh-agent
is run by the eval it emits two variables into the environment.

        SSH_AGENT_PID=nnnnn
        SSH_AUTH_SOCKET=/tmp/ssh-??????/agent.mmmmm # or something similar

All children of this session use these variables to communicate with the
active agent. The problem is that children of new sessions do not have this
information to contact the active agent.

Try adding the following snippet to .profile (for Bourne shells or similar),
i.e replace the eval 'ssh-agent'. This will:

1 - Ensure a single copy of the agent.
2 - Point all sucessive sessions for the same user to the ONE active agent.

There are certainly ways to improve this code but it works for me. BTW, you
will have to manually do the ssh-add for the first invocation to provide the
passphrase.

The one disadvantage I find is that if the system is rebooted, thus killing
the active agent, all successive non-interactive sessions will start/find
the agent then fail for lack of a loaded key.

Hope this helps, Mike

----------------------------------------------------------------------------
# load ssh agent or connect to an existing agent

# File to store agent pointer date
AGT=$HOME/.ssh-agent.out

# do we know of one already?
if [ -z "$SSH_AGENT_PID" ]
then
    if [ -f $AGT ]
    then
        # Use data from prior agent invocation
        eval `cat $AGT`
    else
        # Or start a new agent and connect this session to it
        ssh-agent >$AGT
        chmod 0500 $AGT
        . $AGT
        # May want to ssh-add here
    fi

    # Make sure PID points to a real ssh-agent & that it's really mine
    # Caution: the follwing grep will vary across OS/release as 'ps' output
changes
    if ps -fp $SSH_AGENT_PID | grep -q "^[ ]*$LOGNAME.*ssh-agent$"
    then
        echo Agent pid valid # all OK
    else
        # Nothing useful there at this PID, so start a new agent and
        # connect this session to it
        ssh-agent >$AGT
        chmod 0700 $AGT
        . $AGT
        # May want to ssh-add here
    fi
fi
--------------------------------------------------------------------------

-----Original Message-----
From: Wright, Gary [mailto:Gary.Wright@uk.experian.com]
Sent: Thursday, June 19, 2003 11:02 AM
To: 'secureshell@securityfocus.com'
Subject: Going MAD trying to get scp working on Solaris8 - Horah - Its
res olved - Or Is it....

MANY MANY MANY MANY THANKS to everyone for replying to my email, scp is now
working without entering a password or passphrase.
It works by entering NO passphrase when creating the key files (on both
servers) and by setting (PubkeyAuthentication yes) in sshd_config
As soon as these changes were made and the SSHD daemons were re-started, all
was fine :-)))

My only remaining question is, isn't it VERY insecure to use NULL pass
phrases, all SSH documentation warns against using null pass phrases.
Is it not possible to copy file(s) via scp and using passphases ?

Further investigation reveals that you can set a passphrase as recommended
and then use the eval 'ssh-agent' and ssh-add commands to add the
passphrase to the running agent. This looks great, BUT it appears that a
user has to enter the passphrase every time the agent is called.
I know I must be missing something as you must be able to add the
pass-phrase once only, and then be able to use scp whenever from
scripts/cronjobs etc.

Can anyone please tell me how I now complete the final piece of the puzzle
and add the passphrase ONCE enabling a user to use scp whenever
(interactively,
scripts, cronjobs etc).

Thanks Again for your all your help.

Regards,

Gary.

Gary Wright
Oracle Technical Team Leader
Host Strategy
Experian Ltd

> * +44 (0)115 934 4672
> * +44 (0)7967 342 777
> * +44 (0)115 934 4680
> * Email: gary.wright@uk.experian.com
>
>
>

=======================================================================
Information in this email and any attachments are confidential, and may
not be copied or used by anyone other than the addressee, nor disclosed
to any third party without our permission. There is no intention to
create any legally binding contract or other commitment through the use
of this email.
Experian Limited (registration number 653331).
Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF

• Previous message: Danny Con: "Bind problem"
• Maybe in reply to: Wright, Gary: "Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it...."
• Next in thread: Galen Johnson: "Re: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]