Re: configuring ssh-agent to automate passphrase for the key
From: Pierre Asselin (pa_at_see.signature.invalid)
Date: 12/28/04
- Next message: Prem Rachakonda: "Unable to establish remote SSH connection from XP machine"
- Previous message: Richard E. Silverman: "Re: hostbase auth"
- In reply to: Javed: "configuring ssh-agent to automate passphrase for the key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Dec 2004 01:14:47 +0000 (UTC)
Javed <kjaved@ncs.com.sg> wrote:
> [ ... ]
> during iniating the connection we are prompted for the passphrase of
> the key. The passphrase is a must for our requirement.
Requirement duly noted.
> Our requirement is to automate the entry of passphrase, means there
> shouldn't be any human intervention.
This second requirement contradicts the first. A human *has* to enter
the passphrase at least once, otherwise your system is somehow deafeating
security by storing the passphrase in the clear.
You can use ssh-agent to create an intermediate system where the
passphrase is entered only once. (It should be "once per day" or
"once per session", otherwise you are effectively back to a system
without a passphrase.) ssh-agent is used from the command line
in the following way:
$ eval $(ssh-agent -s)
The command "ssh-agent -s" creates a background process (the agent)
and prints output that looks like this:
SSH_AUTH_SOCK=/tmp/ssh-OsrzU24442/agent.24442; export SSH_AUTH_SOCK;
SSH_AGENT_PID=24443; export SSH_AGENT_PID;
echo Agent pid 24443;
when captured in a shell $(...) construct and passed to the shell "eval"
function, it causes the parent shell to create the environment variables
SSH_AUTH_SOCK and SSH_AGENT_PID. The first of these is used to communicate
with the background agent. The second variable, SSH_AGENT_PID, is used
only to stop a running agent, via the command
eval $(ssh-agent -k)
All processes subsequently started by the shell have a copy of
these variables.
After starting the agent, you load the private key:
$ ssh-add
Enter passphrase for <key file>:
and it is the "ssh-add" command that prompts you for a passphrase.
The "ssh-add" command uses $SSH_AUTH_SOCK to communicate with the agent.
At this point, all ssh processes started by this shell, or by other
processes started by this shell, can usie $SSH_AUTH_SOCK to obtain
signatures from the agent. Maybe all you need to do is run ssh-agent
and ssh-add before starting your Oracle thing for the day.
If you need use the agent from processes that are not descendents
of your starting shell, for example cron jobs, then those processes
will have to search for the running agent's socket. They should
look in /tmp for a directory of the form "ssh-*" containing a single
file "agent.*", of type "socket", owned by their userid and to
which they have read and write permission. They can then set their
own SSH_AUTH_SOCK environment variable to the name of the socket,
after which they will be able to run ssh commands that use the
private key.
Your policy could require a human officer to start an agent in the
morning and kill it at the end of the business day, for example.
-- pa at panix dot com
- Next message: Prem Rachakonda: "Unable to establish remote SSH connection from XP machine"
- Previous message: Richard E. Silverman: "Re: hostbase auth"
- In reply to: Javed: "configuring ssh-agent to automate passphrase for the key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
