ssh-agent and ssh-add Automated Passwords
This article is how to automatically add your private key to your ssh-agent keyring each time you open a shell (and remove it automatically when you close it) for automate passwords entries. ssh-add and ssh-agent work on most variants of linux and unix, but also works on cygwin.
What is ssh-agent?
ssh-agent is a program to hold private keys (like those you created with ssh-keygen), used for public key authentication such as RSA, DSA, ECDSA, and Ed255519. It basically prevents you from typing your password repeatedly. Instead you only have to type your password once per session, or shorter depending on how you configure ssh-agent.
ssh-agent stores the private keys, but ssh-add adds or removes keys from the keyring.
Uses Cases for ssh-add
You connect from your workstation to 10 different servers throughout the day, or to 1 server 10 times. Each time you have to type in a long and complicated password. Or maybe you have to jump/chain ssh tunnels. Regardless, you are typing WAY TOO MANY passwords. ssh-agent/ssh-add was designed to help you with this.
Manually Add Private Key to Keyring
You may want to simply add the password manually to your keyring. You can surely do this too, manually, each time you open a new session:
$ ssh-add -t 3600 ~/.ssh/id_ed25519
Enter passphrase for /home/david/.ssh/id_ed25519:
Identity added: /home/david/.ssh/id_ed25519 (david@win10laptop)
Lifetime set to 3600 seconds
View Current ssh-agent Keyring
If you want to see your current keys in your keyring, use the -l option for ssh-add
$ ssh-add -l
256 SHA256:sdfg3456jhfhgj7fdsdjkjklhjfdfghdfghdfgh76u674 david@win10laptop (ED25519)
Wouldn’t it be easier to load your keyring manager every time you opened a shell? You still have to type a password, but you don’t have to type the ssh-add commands or remember the syntax.
We can use the .bashrc script for automatically starting scripts and commands when a session is opened.
What is .bashrc?
.bashrc is executed when you start your shell and is commonly used to store aliases, and startup scripts. The .bashrc can be edited with your favorite editor, ie:
vim ~/.bashrc
or if you forgot to install vim and are running cygwin on windows:
C:\Users\David>wordpad C:\Cygwin64\home\david\.bashrc
.bashrc and ssh-agent on Windows?
This article is written for cygwin, a collection of unix-like utilities for windows. I frequently open a bash shell on windows then close it when I’m done accessing remote servers. When I close the shell, it will remove the keys from memory and clean up files, only asking me for my password once, when I first start working. Sometimes I open several shells or go in and out of several servers. Now, using this method, I’ll only type my password for my ssh keys once (per key).
ssh-agent Automatic Startup Code
Here is the code that should go at the end of your .bashrc file to start up the keyring manager when you open a cygwin shell. You’ll be prompted once for the key password, but then it won’t ask again, even if you open multiple shells. Once all shells are closed, it will erase the key from memory automagically.
if [ ! -s ~/.ssh/ssh_auth_sock ]; then
eval `ssh-agent`
ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
fi
export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
ssh-add -l > /dev/null || ssh-add
Test Automatic ssh-agent
You need to restart your shell now to run the .bash_profile script. When you restart you should be able to only type your ssh key password once and it will save it until you close the session, or until 3600 seconds pass - whichever happens first.
Security Tips for ssh-agent
Take for example the following series of unfortunate events for me, if someone could read these files, they can also use them!
david@sharedserver ~
$ env | grep SSH_AUTH_SOCK
SSH_AUTH_SOCK=/home/david/.ssh/ssh_auth_sock
david@sharedserver ~
$ ls -alF /home/david/.ssh/ssh_auth_sock
lrwxrwxrwx 1 david None 31 Oct 13 15:19 /home/david/.ssh/ssh_auth_sock -> /tmp/ssh-yNwGYYhXFeEG/agent.225=
Some other tips and insights on ssh-agent security
Length of key storage
Storing your keys indefinitely is not a great idea. Use the -t option to limit any session to a finite number of seconds if using ssh-add manually. In our example above, we are only storing the key for as long as the shell is open. Once we close the shell, the key is no longer stored.
Agent Forwarding
If your client allows agent forwarding (~/.ssh/config "Host *, ForwardAgent no", then disable it, or do not forward through hosts you don't trust.
File Permissions on agent.pid file
Someone that uses the word nefarious, might be nefarious too. In this case that might use your SSH_AUTH_SOCK variable and specify a key they can access in the /tmp/ssh-whatevers/agent.1234 file as the key on THEIR session, thus impersonating you and therefore, by definition, be nefarious!
Passwordless ssh Keys
I would not suggest "no password" for your keys, but if you store the key in plain text and script around it anyway, you aren't doing much good. Use the keyring to store for you and make sure permissions on all files are locked down. Always use a password to encrypt your private key. (you can add a password like so: ssh-keygen -p -f ~/.ssh/id_rsa)
Unique Keys Per Server
Please use unique keys for each client. Use the ssh-keygen tool to make new keys for your desktop, laptop, chromebook, etc
Connect through Jumphost Properly
Instead of chaining, use ProxyJump or ProxyCommand (advanced ssh commands). These commands will allow you to use the remote host through a gateway, but not store or use credentials on the gateway, in case the gateway is hacked.