It is common practice to use ssh (= secure shell) for remote administration. Foremost because it is a very secure way doing it, and supported on a vast variety of operating systems:
- BSD (Free-/Net-/OpenBSD) – comes along with OpenSSH already
- Linux (Debian, Fedora, RedHat, SuSE, Ubuntu, etc.) – mostly comprises an optional OpenSSH software package
- Mac OS X – comes along with OpenSSH already
- Unix (AIX, HP/UX, Solaris, etc.) – comprise all some SSH software package
- Windows – regularly lacks of useful tools, but putty fills that gap complete
Here in this article we’d like to illuminate the functionality of the ssh-agent in a little more detail. And put some emphasis on the differences between several wide spread operating systems.
Consequently we ought to become acquainted with following tools, their purpose and their usage.
- ssh-keygen (putty equivalent = puttygen.exe)
- ssh-agent (putty equivalent = pageant.exe)
- ssh-add (putty equivalent = pageant.exe)
- ssh, scp, sftp (putty equivalents = putty.exe, pscp.exe, psftp.exe)
Prior to anything else install SSH if not yet done.
Debian (respectively for Linux)
$ aptitude install ssh ...
Windows
Extract the putty.zip archive to e.g. c:\bin
Include this directory to the PATH environment variable.
Now let’s prepare the ssh-agent
Before one can use the agent a key pair (public and private key) is required which will be used by the agent to authenticate at the server.
All kinds of Unix
Let’s start with the easy setup, w/o any further options, otherwise consult the man page.
[martin@sequoia:~]? ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/martin/.ssh/id_rsa): .ssh/id_rsa_2 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in .ssh/id_rsa_2. Your public key has been saved in .ssh/id_rsa_2.pub. The key fingerprint is: 2c:20:51:9b:67:9c:78:eb:c1:4c:43:fc:88:2d:97:3b martin@sequoia.local [martin@sequoia:~]? ls -l .ssh -rw------- 1 martin staff 408 Sep 26 2009 authorized_keys2 -r-------- 1 martin staff 1743 Sep 26 2009 id_rsa -r--r--r-- 1 martin staff 408 Sep 26 2009 id_rsa.pub -rw------- 1 martin staff 1743 May 14 12:01 id_rsa_2 -rw-r--r-- 1 martin staff 402 May 14 12:01 id_rsa_2.pub -rw-r--r-- 1 martin staff 15036 May 14 11:03 known_hosts [martin@sequoia:~]? fold -76 .ssh/id_rsa_2.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5Y/LD6qQaCsKX6zcy/fN6Ndk/0x/o3lFq9oF4Gfq V+r/Ny3NBJGoprI3MnlmhrWvyijHOOa8yF/83q+CGP9p/5JfRU08hB5ncCvbNRfkxxDpioRMz9Xu NZ4TSoTu1duuTROIwQfZ6IZCbQwNWRgNLiOsGXeEcbpUDLWVSF/UfItBdM7a/hoJp/JKB9RYSxav iGQMQqkyajfPPr9RM15kWJQy//enQE+cXo2NaXQ1GWmAs5mdOYgSioztvBZBXOluMd35DQ6jX8XV 4TVRFIa9z8J2jQVZsuLzl/CnmPY/hBPbu6QIMqrReICQJ0K/Mo8j+tz0YwCZgl8w5LnPpx47hw== martin@sequoia.local
Perhaps you’ve recognised that I already had a key used before, which I’d like to keep. You’re able to use multiple identities!
Windows
Create a key pair (public and private key)
Therefore start puttygen.exe from the command line (after you’ve added the putty installation directory to the PATH variable) or double-click on the puttygen.exe icon
In the second step while creating a new key with puttygen.exe you’re securing the key with a passphrase you will remember always!
Don’t forget to save the key pair (public and private) in seperate files to the disk.
Prapare for using the agent
All kinds of Unix
Append the public key into the file with the name authorized_keys2 which resides in the .ssh directory of your users home directory. Create it if it’s not existing and restrict the writing access for others.
It doesn’t make any difference whether you created your key pair on Windows by using puttygen.exe or on a Unix system by using ssh-keygen. Only make sure that the public key is added to the authorized_keys2 in a similar format as shown here.
[martin@sequoia:~]? ls -l .ssh -rw------- 1 martin staff 408 Sep 26 2009 authorized_keys2 -r-------- 1 martin staff 1743 Sep 26 2009 id_rsa -r--r--r-- 1 martin staff 408 Sep 26 2009 id_rsa.pub -rw------- 1 martin staff 1743 May 14 12:01 id_rsa_2 -rw-r--r-- 1 martin staff 402 May 14 12:01 id_rsa_2.pub -rw-r--r-- 1 martin staff 15036 May 14 11:03 known_hosts [martin@sequoia:~]? cat .ssh/id_rsa_2.pub >> .ssh/authorized_keys2 [martin@sequoia:~]? fold -76 .ssh/authorized_keys2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4scI/a9W2J8QhR2s1ySMoPuQHw266r1mRpKPQ5vM qK4OrZjmPDi73yvy5jsjKoO5U9sYUOpjmGbJfAlYOmU2T7sNbHocPbLtuSsxhyuzQS5SPY+oyE7k 09H/ZdX5rKj/jqmKg+lVKCeY64tBXNHjXjEhCf1AKosCmAdRdjXr38fQ1OwpxkhGKL8EOqNEGtxG 0y8LUuz5XzZdaoiW2uk3UY9NzOWiEqyPO5YwvcJ7WRrD4pNxVC0Ar+NpbBZpDT0RcnIF4XE3qEh/ 57dj3VfLODi4y1/ErwpLPRtpnbvyrR9N9b2y7IGf8IMO/CjCSzosibtNgsztC/U2HGRIUBXAEQ== Rastis key for private use ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5Y/LD6qQaCsKX6zcy/fN6Ndk/0x/o3lFq9oF4Gfq V+r/Ny3NBJGoprI3MnlmhrWvyijHOOa8yF/83q+CGP9p/5JfRU08hB5ncCvbNRfkxxDpioRMz9Xu NZ4TSoTu1duuTROIwQfZ6IZCbQwNWRgNLiOsGXeEcbpUDLWVSF/UfItBdM7a/hoJp/JKB9RYSxav iGQMQqkyajfPPr9RM15kWJQy//enQE+cXo2NaXQ1GWmAs5mdOYgSioztvBZBXOluMd35DQ6jX8XV 4TVRFIa9z8J2jQVZsuLzl/CnmPY/hBPbu6QIMqrReICQJ0K/Mo8j+tz0YwCZgl8w5LnPpx47hw== martin@sequoia.local
Make also sure that a ssh daemon process (sshd) is running. You must be root to start this process.
# /etc/init.d/sshd start
Or starting the ssh daemon on Mac OS X, you open the sharing preferences and activate remote login. You need administrative rights to do this.
Windows
The public key generated by putty looks similar but not exactly identical.
C:\Dokumente und Einstellungen\rasti\Eigene Dateien\ssh-keys>dir
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 1805-C667
Verzeichnis von C:\Dokumente und Einstellungen\rasti\Eigene Dateien\ssh-keys
09.04.2010 10:40 .
09.04.2010 10:40 ..
09.04.2010 10:40 869 ssh-private.ppk
09.04.2010 10:39 294 ssh-public.asc
2 Datei(en) 1.163 Bytes
2 Verzeichnis(se), 145.506.770.944 Bytes frei
C:\Dokumente und Einstellungen\rasti\Eigene Dateien\ssh-keys>type ssh-public.asc
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100409"
AAAAB3NzaC1yc2EAAAABJQAAAIBpktt0TYXr5jiQu4B/6tHUvoYkeirjq/zGpwUm
B/lPKBE+qZJd1McCXyoOqQxa37LdkTVujxAMj7OQ0VhdGQw2sU0G5oJLzxGwOIUA
3oljIgq1FamB7usFBSjKkKpsfCmz/v9ydVT9xB32ToRYO6e6ywjUlTrmjF5nMvrA
j9o+HQ==
---- END SSH2 PUBLIC KEY ----Thus one has to add the key encryption type before when adding to authorized_keys2 …
rasti@otherhost:/home/rasti> fold -76 .ssh/authorized_keys2 ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBpktt0TYXr5jiQu4B/6tHUvoYkeirjq/zGpwUmB/lP KBE+qZJd1McCXyoOqQxa37LdkTVujxAMj7OQ0VhdGQw2sU0G5oJLzxGwOIUA3oljIgq1FamB7usF BSjKkKpsfCmz/v9ydVT9xB32ToRYO6e6ywjUlTrmjF5nMvrAj9o+HQ==
Thats all.
Let the agent do the authentication
All kinds of Unix
Start the agent and source its variables to the local environment
[martin@sequoia:~]? ssh-agent >ssh-agent-env [martin@sequoia:~]? . ssh-agent-env Agent pid 3780
Add your identity (multiple are possible) to the agent.
Of course you need to add the secret keys and provide the passphrases to them!
[martin@sequoia:~]? ssh-add Enter passphrase for /Users/martin/.ssh/id_rsa: Identity added: /Users/martin/.ssh/id_rsa (/Users/martin/.ssh/id_rsa) [martin@sequoia:~]? ssh-add .ssh/id_rsa_2 Enter passphrase for .ssh/id_rsa_2: Identity added: .ssh/id_rsa_2 (.ssh/id_rsa_2)
Windows
Load the agent by running pageant.exe either by command line or double-clicking its icon. Then a small icon with a hat on a computer symbol will appear in the toolbar.
Make a right-click on this small icon with the mouse and select add key, and navigate to your private key which is about to be added.
And authenticate your private key with your passphrase …
Now we can start and enjoy the benefits of this admittetly quite painful preparation
None of the prepared systems will require any further password authentication!
This includes login, file copy, command execution etc.
[martin@sequoia:~]? sftp rasti@testhost.local Connecting to testhost.local... sftp> ls Documents Documents/dump_db.zip Documents/existingfiles.lst Documents/newerfiles.lst Documents/missingfiles.lst sftp> quit [martin@sequoia:~]? scp rasti@testhost.local:~/Documents/modfiles.zip ./Documents/ modfiles.zip 100% 6462 6.3KB/s 00:00 [martin@sequoia:Documents]? cat commands.txt uname hostname [martin@sequoia:Documents]? cat commands.txt | ssh -T rasti@testhost.local Linux testhost.local
The ssh tool comprises a plenty of other options. Which leaves room for many more articles.
One is to use the ssh-agent for more than one host with the agent-forwarding option …
[martin@sequoia:Documents]? ssh -A rasti@testhost.local Linux testhost.local 2.6.26-2-xen-amd64 #1 SMP Wed May 13 18:43:45 UTC 2009 x86_64 Last login: Fri May 14 14:40:47 2010 from 1.2.3.4 rasti@test:~$ ssh -A rasti@demohost.local Linux demohost.local 2.6.26-2-xen-amd64 #1 SMP Wed May 13 18:43:45 UTC 2009 x86_64 Last login: Mon May 3 13:38:58 2010 from 1.2.3.4 rasti@demo:~$ hostname demohost.local
Another helpful option is X11 forwarding ….
[martin@sequoia:Documents]? ssh -X rasti@testhost.local Linux testhost.local 2.6.26-2-xen-amd64 #1 SMP Wed May 13 18:43:45 UTC 2009 x86_64 Last login: Fri May 14 14:57:33 2010 from 1.2.3.4 /usr/bin/X11/xauth: creating new authority file /home/rasti/.Xauthority rasti@test:~$ echo $DISPLAY localhost:10.0 rasti@test:~$ xpdf Documents/Firebird-gfix.pdf & [1] 5467 rasti@test:~$
For this example we used X11 which is shipped with Mac OS X. One not even needs to maintain any of the xhost display access permissions.
The same way it works with the command line tools on Windows.
The major difference is that X11 is not part of Windows and must be installed seperately.
