ssh-agent is a very useful part of the ssh software suite. It is a small daemon which remembers your private key on your behalf. The net effect of using it is that you only have to type in a password for ssh once, when you login. After that, all ssh connections are made seamlessly without asking you for a password. This makes using ssh far easier and more enjoyable.
There are two parts to getting ssh-agent set up. First, you have to arrange for it to be run when you login. Then, you have to initialize it with your public key. If you've only ever used your password to connect with ssh, see the section below, Creating a Key Pair.
You need to arrange for the script that starts your session to call ssh-agent. If you login at a text console and run "startx", then this script is ~/.xinitrc. Most people these days tend to use a graphical login manager such as gdm or kdm, though. In that case the script is called ~/.xsession. It's quite likely that you won't already have one of these setup. If that's the case, this is a suitable example of what it needs to look like:
#!/bin/bash eval `ssh-agent` startkde eval `ssh-agent -k`
If you are running gnome instead of kde, change the "startkde" line to read "gnome-session" instead.
The first line starts the ssh-agent running and uses backquotes to pass information about the agent back into the shell. The last lines asks the ssh-agent to shutdown cleanly when you log out. Otherwise, you'll end up with lots of ssh-agent processes running, when you only need one.
When you create this file, you must make sure that it is executable otherwise you will not be able to log in. So, run chmod +x ~/.xsession as soon as the file is created.
Once you've made these changes, you'll have to logout and login again to get the agent running. When you're logged back in, type in echo $SSH_AGENT_PID to check that it's running properly.
Now, just run ssh-add to get going. It will ask you for the passphrase for your private key.
% ssh-add Need passphrase for /home/dom/.ssh/identity Enter passphrase for dom@cathbad.happygiraffe.net: Identity added: /home/dom/.ssh/identity (dom@cathbad.happygiraffe.net)
Now, test that it is working by trying to connect to another machine. You should be connected directly, without being prompted for a passphrase. If you use ssh -v host, you will see a line "Trying RSA authentication via agent" followed by "Remote: RSA authentication accepted.". This means that the agent is working correctly.
NB: You will have to run the ssh-add command at the beginning of each login session. You may wish to place a command like xterm -e ssh-add directly after the first ssh-agent in your startup script.
As a side benefit of having the agent set up, it now becomes much easier to use tools like cvs and rsync with ssh, because they will no longer ask you for a passphrase. It also becomes much easier to use ssh for all communications, instead of having to use telnet some of the time and ssh some of the time.
If you are running windows, a similiar program to the ssh-agent is part of the putty suite, called pageant. I haven't used it and don't know how to set it up though.
WARNING! It is not secure to type in your passphrase unless you are directly connected to the box containing your private key, or you are connected via a secure mechanism (such as ssh). If you are connected via telnet or vnc, your passphrase could be sniffed from the network!
If you have any problems getting this set up, please tell me so that I can improve this document. You may also want to look at the ssh-agent and ssh-add man pages.
Normally, when you connect to another machine using ssh, you use a password. However, there is an alternative. You can create a "key pair", which consists of two parts: the public key and the private key. This is more secure than using plain password authentication.
To create a key pair, use the ssh-keygen program. You'll be asked for a file to save it in (accepting the default is usually the best idea) and a passphrase. It's a good idea to use a long passphrase, because there are no limits on it and hopefully you won't be typing it very often.
% ssh-keygen Generating RSA keys: Key generation complete. Enter file in which to save the key (/home/dom/.ssh/identity): Created directory '/home/dom/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/dom/.ssh/identity. Your public key has been saved in /home/dom/.ssh/identity.pub. The key fingerprint is: 5d:05:18:6c:ec:3c:8f:bf:62:05:e1:2b:04:52:cf:06 dom@cathbad.happygiraffe.net
As you can see in the output above, there are now two files created for you:
Now that you have these two files, you need to set them up so that you can log in to another machine. This is pretty simple. You just have to copy the ~/.ssh/identity.pub file to ~/.ssh/authorized_keys (nb: spell it with a "z"!) on each machine that you wish to connect to.
To get a public key on a mac using MacSSH, do:
Instructions courtesy of Paul Mison. Many thanks, Paul.
Now, when you connect to a remote machine, you no longer have to type in your password, but instead, you will be asked to type in your passphrase, which is the same one that you used when you created the key pair. Ssh will use this to unlock your private key, perform some cryptographical wizardry (I don't know precisely what it does) and prove that you are the person listed in the ~/.ssh/authorized_keys file on the machine you are connecting to.
WARNING! You should only type in your passphrase when you are directly connected to the machine which holds your private key, or are already using ssh to connect to that machine. If you have to telnet or use vnc to connect to a machine and then type in your passphrase, what you type could be sniffed on the network and your whole setup would be broken.
Typing in that passphrase each time you connect can get to be tedious, so see above for details on how to use the ssh-agent, which avoids this.
If you have any problems getting this set up, please tell me so that I can improve this document. You may also want to look at the ssh-keygen and ssh man pages.