Common thread: OpenSSH key management. Part 1 describes ssh-agent and keyc.

Many developers use good OpenSSH as a substitute for old telnet and rsh commands. OpenSSH is not only secure but also encrypted. One of the more attractive features of OpenSSH is that it can use RSA and DSA authentication protocols based on a pair of complementary digital "keys" to authenticate users. The RSA and DSA authentication commitment does not require a password.

Many developers use good OpenSSH as an old te LnEt and rsh CommandOpenSSH is not only secure but also encrypted. One of the more attractive features of OpenSSH is that it can use RSA and DSA authentication protocols based on a pair of complementary digital "keys" to authenticate users. RSA and DSA certification commitment No Password requiredThe ability to establish connections with remote systems is one of its main charms. In the second article, Daniel introduced ssh-agent(Private Key cache) and keychainThe design of this special bash script makes key-based authentication extremely convenient and flexible.

Introduction to ssh-agent

ssh-agentIt is a special program designed to process RSA and DSA keys happily and securely, it is included in the OpenSSH distribution (see section 1st of this series for an introduction to RSA and DSA authentication ). Different fromssh,ssh-agentDaemon is a daemon that has been running for a long time. It is designed to cache the decrypted private key at high speed.

sshThe built-in support is allowed to be the samessh-agentCommunication, allowsshYou do not need to prompt you for a password to obtain the private key for decryption every time you connect to a new connection. Forssh-agent, You only need to usessh-addAdd a private keyssh-agent. This is a one-time process; usedssh-addAfter,sshTossh-agentGet your private key without prompting you for a phrase.

Use ssh-agent

Let's take a look at the wholessh-agentThe working process of the key cache system.ssh-agentAt startup, it will output some important environment variables before it leaves the shell and continues running in the background. Below isssh-agentSome examples of output generated at the beginning:

% ssh-agentSSH_AUTH_SOCK=/tmp/ssh-XX4LkMJS/agent.26916; export SSH_AUTH_SOCK;SSH_AGENT_PID=26917; export SSH_AGENT_PID;echo Agent pid 26917;

As you can see, in factssh-agentIf these commands are executed, two environment variables are set: SSH_AUTH_SOCK and SSH_AGENT_PID. The export command is included to make these environment variables available for any additional commands that will be run later. Well,IfShell calculates these rows, but at this time they are printed to the standard output (stdout. We can callssh-agent:

eval `ssh-agent`

Run bash first.ssh-agentAfterssh-agent. Shell sets and exports the SSH_AGENT_PID and SSH_AUTH_SOCK variables in this call method (using reverse quotation marks instead of regular single quotes) so that these variables are available for all new processes that are started during the login session.

Startssh-agentThe best way is to add the above line to your ~ /. Bash_proFileIn this way, all programs started in your login shell will see the environment variables, and can locatessh-agent, And query the key for it as needed. The most important environment variable is SSH_AUTH_SOCK; SSH_AUTH_SOCK containssshAndscpCan be used in the same wayssh-agentThe path of the UNIX domain socket for the conversation.

Use ssh-add

Howeverssh-agentThe cache is empty at startup, and there is no private key for decryption. We can usessh-agentBefore that, you must first usessh-addCommand to add our private keyssh-agent. In the following examplessh-addPut my ~ /. Add a private RSA key for ssh/identityssh-agentIn the cache:

# ssh-add ~/.ssh/identityNeed passphrase for /home/drobbins/.ssh/identityEnter passphrase for /home/drobbins/.ssh/identity (enter passphrase)

As you can see,ssh-addAsk for my key phrase to decrypt the private key and store it inssh-agentCache for use. Once you have usedssh-addAdd a private key (or multiple keys)ssh-agentIn the cache,AndIn the current shell (if you ~ /. Start In bash_profilessh-agent) Define SSH_AUTH_SOCK, then you can usescpAndsshEstablish a connection with a remote system without providing a password phrase.

Limitations of ssh-agent

ssh-agentIt is really good, but its default configuration will leave us some small inconvenience. Let's take a look at these shortcomings.

First ,~ In/. bash_profileeval `ssh-agent`Enable a newssh-agentReplicas. This is not just a waste, but also means you have to usessh-addTossh-agentAdd a private key to the copy. If you only want to open a terminal or console on the system, this is no big deal, but most of us open a lot of terminals. Every time you open the console, you need to enter a password phrase. From a technical point of view, sincessh-agentThe process should be enough. If we still need to do so, it is unreasonable.

Relatedssh-agentIs not compatible with cron jobs. Since cron jobs are started by the cron process, these jobs cannot inherit the SSH_AUTH_SOCK variable from their environments, so they cannot be known.ssh-agentThe process is running and how to contact it. It turns out that this problem can also be fixed.