Hey all,
I have ssh-askpass installed on Centos 5.7 and I'm trying to find a way to log into the host and not have it ask me to enter in my long / complex passphrase every time I ssh into another host.
I've googled for some scripts that you can add to your bash configuration so that you won't have to do that.
So I have to end up typing 'eval $(ssh-agent) && ssh-add' and enter in my passphrase every time. It's a little annoying. I've been dealing with this for a while and I could use some help.
Here's my bashrc file with the lines on using ssh-agent and ssh-add in it:
# .bashrc
# Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi
# User specific aliases and functions SSH_ENV=$HOME/.ssh/env-$HOSTNAME
function ssh_clean { d="$HOME/.ssh"
f0=$d/known_hosts f1=$d/known_hosts_tmp
cat /dev/null > $f1
while read host line; do if [ $host != "localhost" ]; then echo $host $line >> $f1 fi done < $f0
mv $f1 $f0
chmod 644 $f0 }
# Initialize new agent and add authentication function start_agent {
echo "Initialising new SSH agent on $HOSTNAME on $(date)" >> ~/agent
# Start authenticating daemon # No authentications set up yet, just starting daemon! ssh-agent | head -2 > ${SSH_ENV} chmod 600 ${SSH_ENV}
# Find SSH_AUTH_SOCK and SSH_AGENT_PID of the available daemon . ${SSH_ENV} > /dev/null
# Add authentication to this and only this daemon ssh-add }
if [ -f "$SSH_ENV" ]; then # Find SSH_AUTH_SOCK and SSH_AGENT_PID of the available daemon . ${SSH_ENV} > /dev/null
# Check if the agent is still running ierr=0 ps ${SSH_AGENT_PID} > /dev/null || ierr=1
if [ $ierr == "0" ]; then echo > /dev/null else # If not initialize new agent and # add authentication start_agent; fi else start_agent; fi
export PATH=$PATH:/home/iloshakov:/home/tdineen/eporter:/home/mrupapara:/home/tdunphy/bin:/home/ashoykhet:/home/tdineen/eporter export PUB='/homeuser/.ssh/id_rsa.pub'
I'd appreciate any advice you may have!
Thanks
Tim
Am 02.03.2014 14:57, schrieb Tim Dunphy:
Hey all,
I have ssh-askpass installed on Centos 5.7 and I'm trying to find a way to log into the host and not have it ask me to enter in my long / complex passphrase every time I ssh into another host.
I've googled for some scripts that you can add to your bash configuration so that you won't have to do that.
[ ... ]
Use keychain[1]. It is provided by the ghettoforge repository for instance. Repoforge has it too.
Tim
Alexander
On Mar 2, 2014, at 9:22 AM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 02.03.2014 14:57, schrieb Tim Dunphy:
Hey all,
I have ssh-askpass installed on Centos 5.7 and I'm trying to find a way to log into the host and not have it ask me to enter in my long / complex passphrase every time I ssh into another host.
I've googled for some scripts that you can add to your bash configuration so that you won't have to do
Why not just use authorized_keys with an empty pass phrase?
On Sun, Mar 2, 2014 at 1:26 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 02.03.2014 19:16, schrieb Joseph Spenner:
Why not just use authorized_keys with an empty pass phrase?
Because that is discouraged due to security.
+1 security, security, security -- password-less SSH keys aren't a great idea -- for some situations, they are acceptable - but overuse is bound to bite back
It's simple enough to use the ssh-agent to store your passphrase in the keyring for a designated amount of time. When I'm running GNOME, I allow the built-in ssh-agent to handle things for me ... when I'm working via gnu screen, I use ssh-agent+ssh-add.
By what you have said, it doesn't sound like you're caching things in the keyring. For a day at work, I only ever have to enter my passphrase once (unless I remotely connect to my desktop from another desktop to connect to a server). Other than a password for the root user (which I rarely use), I'm using SSH keys to authenticate.
I too am using ssh-agent and ssh-add.
I have added ssh-agent to my bash profile so it's automatically ran. From there I manually run ssh-add and enter my passphrase. Smooth sailing from there.
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
By what you have said, it doesn't sound like you're caching things in the keyring. For a day at work, I only ever have to enter my passphrase once (unless I remotely connect to my desktop from another desktop to connect to a server).
Bingo! That's what I'm after.
I too am using ssh-agent and ssh-add.
I have added ssh-agent to my bash profile so it's automatically ran. From
there I manually run ssh-add and enter my passphrase. Smooth sailing from there.
Think you could maybe post the lines in your bash_profile to achieve that? I've tried everything from what I showed you at the top of the thread to just simply adding:
eval $(ssh-agent) ssh-add
To my bashrc file. Also what's the difference between storing something like this in your bash_profile vs bashrc?
Thanks Tim
On Sun, Mar 2, 2014 at 1:54 PM, SilverTip257 silvertip257@gmail.com wrote:
On Sun, Mar 2, 2014 at 1:26 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 02.03.2014 19:16, schrieb Joseph Spenner:
Why not just use authorized_keys with an empty pass phrase?
Because that is discouraged due to security.
+1 security, security, security -- password-less SSH keys aren't a great idea -- for some situations, they are acceptable - but overuse is bound to bite back
It's simple enough to use the ssh-agent to store your passphrase in the keyring for a designated amount of time. When I'm running GNOME, I allow the built-in ssh-agent to handle things for me ... when I'm working via gnu screen, I use ssh-agent+ssh-add.
By what you have said, it doesn't sound like you're caching things in the keyring. For a day at work, I only ever have to enter my passphrase once (unless I remotely connect to my desktop from another desktop to connect to a server). Other than a password for the root user (which I rarely use), I'm using SSH keys to authenticate.
I too am using ssh-agent and ssh-add.
I have added ssh-agent to my bash profile so it's automatically ran. From there I manually run ssh-add and enter my passphrase. Smooth sailing from there.
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- ---~~.~~--- Mike // SilverTip257 // _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 2014-03-02, Tim Dunphy bluethundr@gmail.com wrote:
To my bashrc file. Also what's the difference between storing something like this in your bash_profile vs bashrc?
The difference between storing anything in .bash_profile versus .bashrc is that .bash_profile is executed only for interactive login shells, and .bashrc is executed only for interactive nonlogin shells (e.g., if you type "bash" at a prompt). Read the man page for bash and look for the INVOCATION section.
--keith
On Sun, Mar 2, 2014 at 2:00 PM, Tim Dunphy bluethundr@gmail.com wrote:
By what you have said, it doesn't sound like you're caching things in the keyring. For a day at work, I only ever have to enter my passphrase once (unless I remotely connect to my desktop from another desktop to connect
to
a server).
Bingo! That's what I'm after.
I too am using ssh-agent and ssh-add.
I have added ssh-agent to my bash profile so it's automatically ran. From
there I manually run ssh-add and enter my passphrase. Smooth sailing
from
there.
Think you could maybe post the lines in your bash_profile to achieve that? I've tried everything from what I showed you at the top of the thread to just simply adding:
eval $(ssh-agent)
That's exactly what I have in my .bash_profile for the agent part
If I wasn't utilizing the GNOME keyring on my desktop (as I do most of the time), I'd be doing things a bit differently. That's for sure ;)
ssh-add
I'm using: ssh-add -t8h /path/to/private-key
The manpage says that when ran without arguments ssh-add picks the default names ~/.ssh/id_dsa or ~/.ssh/id_rsa, but does _not_ specify a time for the key to be cached. I tried excluding the time period and can auth with my key after disconnecting, but I'm not sure what the caching default time period is for the keyring.
I also run "ssh-add -D" at the end of my shift so my unlocked keys are removed from the ssh-agent (and the key is once again locked/requires my passphrase).
To my bashrc file. Also what's the difference between storing something like this in your bash_profile vs bashrc?
Keith replied back on this one and he's spot on with his response. -- .bash_profile is executed for login shells -- .bashrc is executed for interactive non-login shells
I expect the difference there is why you are being prompted each time (thought I've not tested it yet).
[0] http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html
Why not just use authorized_keys with an empty pass phrase?
Because that is discouraged due to security.
Exactly right. I'm using authorized_keys on the remote host. But I have a long, complex passphrase on my private RSA key on my workstation. I think it's a little foolish to not do that, and in addition it's prohibited by company policy to use keypairs for ssh without passphrases.
What I'm trying to do is manage that passphrase in my bashrc using ssh-askpass so I don't have to type it in every time.
Use keychain[1]. It is provided by the ghettoforge repository for
instance. Repoforge has it too.
I've never heard of either. But I guess I could give it a shot. However my preference would be to find the right bash snippet to pop into my bashrc to allow me to do what I'm trying.
Thanks, Tim
On Sun, Mar 2, 2014 at 1:26 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 02.03.2014 19:16, schrieb Joseph Spenner:
Why not just use authorized_keys with an empty pass phrase?
Because that is discouraged due to security.
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 3/2/2014 10:55 AM, Tim Dunphy wrote:
Exactly right. I'm using authorized_keys on the remote host. But I have a long, complex passphrase on my private RSA key on my workstation. I think it's a little foolish to not do that, and in addition it's prohibited by company policy to use keypairs for ssh without passphrases.
so how do you do things like cron automated rsync transfers? run nagios monitoring agent scripts? backup scripts? etc etc etc?
what, you have an operator who hovers over the keyboard entering passphrases ?
so how do you do things like cron automated rsync transfers? run nagios monitoring agent scripts? backup scripts? etc etc etc?
Ok. Now you're making fun. But to answer your questions, we don't rsync in this environment, the way we should. The whole environment is entirely under-scripted and we don't have the manpower to allow me to script it up to par. Blah blah, excuse excuse. My day is go go from the time I get to work to the time I leave, without much time to be creative where it could benefit the dept.
But for backups I setup bacula to run over TLS. Works great! Next question?
what, you have an operator who hovers over the keyboard entering
passphrases ?
Yes. That would be me.
On Sun, Mar 2, 2014 at 2:06 PM, John R Pierce pierce@hogranch.com wrote:
On 3/2/2014 10:55 AM, Tim Dunphy wrote:
Exactly right. I'm using authorized_keys on the remote host. But I have a long, complex passphrase on my private RSA key on my workstation. I think it's a little foolish to not do that, and in addition it's prohibited by company policy to use keypairs for ssh without passphrases.
so how do you do things like cron automated rsync transfers? run nagios monitoring agent scripts? backup scripts? etc etc etc?
what, you have an operator who hovers over the keyboard entering passphrases ?
-- john r pierce 37N 122W somewhere on the middle of the left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mar 2, 2014, at 11:55 AM, Tim Dunphy bluethundr@gmail.com wrote:
On Sun, Mar 2, 2014 at 1:26 PM, Alexander Dalloz ad+lists@uni-x.org wrote:
Am 02.03.2014 19:16, schrieb Joseph Spenner:
Why not just use authorized_keys with an empty pass phrase?
Because that is discouraged due to security.
Alexander
But having a script which automatically connects without the 'big ugly password' isn't a security risk? I don't follow. Also, you could further secure the authorized_keys file by only permitting the key to be used from a certain location, if you don't trust the security of your own private key.
But having a script which automatically connects without the 'big ugly password' isn't a security risk? I don't follow.
Well, ssh-askpass stores your password in a hash and has some security features built into it. It's not really a simple script. It's job is to enter your pass phrase for you so do you don't have to type it in every time.
Also, you could further secure the authorized_keys file by only permitting the key to be used from a certain location, if you don't trust the security of your own private key.
It's not that I don't trust my own private key. It's that NO private key is really very secure if it isn't password protected.
On Sun, Mar 2, 2014 at 2:19 PM, Joseph Spenner joseph85750@yahoo.comwrote:
On Mar 2, 2014, at 11:55 AM, Tim Dunphy bluethundr@gmail.com wrote:
On Sun, Mar 2, 2014 at 1:26 PM, Alexander Dalloz ad+lists@uni-x.org
wrote:
Am 02.03.2014 19:16, schrieb Joseph Spenner:
Why not just use authorized_keys with an empty pass phrase?
Because that is discouraged due to security.
Alexander
But having a script which automatically connects without the 'big ugly password' isn't a security risk? I don't follow. Also, you could further secure the authorized_keys file by only permitting the key to be used from a certain location, if you don't trust the security of your own private key.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Joseph,
Why not just use authorized_keys with an empty pass phrase?
because every responsible system admin will immediately kill you when you do that? :-)
Except in very specific situations, e.g. unattended jobs that copy data or execute commands over ssh connections, it is very unwise to *ever* create an ssh key without a passphrase, as the only thing between that key and access to the systems it 'protects' is then file permissions on the server it is located on.
Even in the few situations where it is unavoidable (in most cases it just seems so) to use an unprotected key, actions should be taken to limit its usability as much as possible (no-pty, forced commands etc.).
The sensible way to achieve what the OP wants is to use an SSH agent.
Cheers,
Peter.
On Mon, Mar 3, 2014 at 3:40 AM, Peter Eckel lists@eckel-edv.de wrote:
Why not just use authorized_keys with an empty pass phrase?
because every responsible system admin will immediately kill you when you do that? :-)
Except in very specific situations, e.g. unattended jobs that copy data or execute commands over ssh connections, it is very unwise to *ever* create an ssh key without a passphrase, as the only thing between that key and access to the systems it 'protects' is then file permissions on the server it is located on.
Errr, 'unattended jobs' are the main reason for having computers. Well, that and watching kitten videos.
Hi Les,
Errr, 'unattended jobs' are the main reason for having computers.
I differentiate here between desktop machines and servers ... regarding servers you're definitely right, but though I don't have reliable data I'd say from experience that the vast majority of ssh keys are stored on desktop systems used to administer servers. And those are exactly the ones I'd rather never see being used without a strong passphrase.
Well, that and watching kitten videos.
You're definitely correct here :-)
Cheers,
Peter.
On Mon, Mar 3, 2014 at 8:25 AM, Peter Eckel lists@eckel-edv.de wrote:
Hi Les,
Errr, 'unattended jobs' are the main reason for having computers.
I differentiate here between desktop machines and servers ... regarding servers you're definitely right, but though I don't have reliable data I'd say from experience that the vast majority of ssh keys are stored on desktop systems used to administer servers. And those are exactly the ones I'd rather never see being used without a strong passphrase.
That distinction is blurred for me. While I usually have a Windows desktop or laptop in front of me at work and a Mac at home, my actual work 'Desktop" is a long-running freenx/NX (or recently x2go) session from one of the CentOS servers and I just connect to it from whatever device I'm using - which will handle it as just another window. I might run email/browsers, etc. from the local device, but server administration operations are done from the NX/x2go session so the keys involved would be stored on a server in a secure location - and one that is always up for cron jobs, etc. Aside from the convenience of being able to pick up the running session from different devices, this approach eliminates the hassle of dealing with Linux video drivers and still gives pretty good performance even when the server is at a different location.
-
Alexander Dalloz -
John R Pierce -
Joseph Spenner -
Keith Keller -
Les Mikesell -
Peter Eckel -
SilverTip257 -
Tim Dunphy