Setting Up ssh-agent to Ask Passphrase Only Once

Short Version

ssh-agent bash

then

ssh-add

or maybe

ssh-add /home/user/.ssh/id_dsa

Long Version

Before trying anything, be sure that the communication between to the two hosts is using keys. Type this:

ssh target

you should see this:

Enter passphrase for key '/home/user/.ssh/id_rsa':

not

user@target's password:

If you get prompted for a passphrase instead of a password, go here, but be sure to add a passphrase. It is extremely dangerous to use a private key that doesn’t have a passphrase. If anyone gets access to that private key, they can use it. However, adding a passphrase initially brings you back to the problem of asking for the passphrase several times. ssh-agent can fix this problem. To get started, simply type:

ssh-agent bash

This creates a new bash process that allows you to add private keys. When adding a new private key you will be prompted for the passphrase once and only once. Do that by typing:

ssh-add

Then, the key at ~/.ssh/id_dsa will be added and you should not get prompted for a passphrase. Then, type exit to have the OS forget your passphrase.

To verify that your key has been added, type:

ssh-add -l

It should show you the fingerprints and filenames of all keys in the agent session.

Using an ssh-agent in a script

Use the following bash code to reuse and ssh-agent in a script:

#!/bin/bash

tempfile=/tmp/ssh-agent.test

# Check for an existing ssh-agent
if [ -e $tempfile ]
then
    echo "Examining old ssh-agent"
    . $tempfile
fi

# See if the agent is still working
ssh-add -l > /dev/null

# If it's not working yet, just start a new one.
if [ $? != 0 ]
then
    echo "Old ssh-agent is dead..creating new agent."

    # Create a new ssh-agent if needed
    ssh-agent -s > $tempfile
    . $tempfile

    # Add the key
    ssh-add
fi    

# Show the user which keys are being used.
ssh-add -l

ssh-agent -s creates an ssh-agent and prints out three lines that basically set the appropriate environment variables for ssh-add to function properly. This script saves the output of ssh-agent -s to a known file location that can be reused each time the script is run. It also detects if the ssh-agent is no longer working. If so, it simply launches a new agent and adds the key.

The nice part about this script is that it will work if a script is sudo’d. However, the file will get a permission’s error if the script is run with sudo and then run without sudo.


417 Words

2010-07-26 15:10 +0000