SSH key generation and keychain

William Stearns wstearns at pobox.com
Fri Jun 4 17:20:01 EDT 2004 

Good afternoon, Eric,
	/me thwaps /me  *smile*

On Fri, 4 Jun 2004, William Stearns wrote:

> On Fri, 4 Jun 2004, Eric Pfeifer wrote:
> 
> > I am in the process of trying to automate some of my accounts using ssh and rsa
> > keys. I pulled down keychain and have been reading some net references on how
> > to configure ssh to allow a passwordless login.
> > 
> > I've established my keypair and copied the public key (id_rsa.pub) to the .ssh
> > home directory on the remote machine and merged it into authorized_keys. I've
> > ran ssh-agent and did an ssh-add. but I still get prompted for my key
> > passphrase. How can I set it up so I don't get prompted?

	Darn it, I didn't read carefully enough.  Sorry about that.

> 	The process is annoying and non-standard enough that I wrote a 
> script to automate the process.  Please grab ssh-keyinstall from 
> http://www.stearns.org/ssh-keyinstall/ and run it as:
> 
> ssh-keyinstall -s the_server_to_which_you_want_to_connect
> 
> 	If your user acount is different from the one on the local 
> machine, run it as:
> 
> ssh-keyinstall -s the_server_to_which_you_want_to_connect -u username_on_remote_machine
> 
> 	It'll handle the entire process: key generation, copying the 
> public key over, putting it in the right file, converting the format if 
> needed, and setting permissions on your home and .ssh directories.
> 	It'll ask you to type in your remote password between 3 and 5
> times to make the needed connections to the remote system, each time
> showing you exactly what command is about to be run for the paranoid like
> myself.  Once it's done, you should be able to make remote connections
> using just your key (and the passphrase if you're not using ssh-agent).
> 	I have some more articles on using ssh at 
> http://www.stearns.org/doc/ .  Please let us know if you run into 
> problems.

	The answer you needed was "use the ssh-agent that's already in
memory, and don't start a new one".  The articles I just mentioned
describe what it is.  To use it, go into X windows, run "ssh-add", enter
your passphrase, and then try to ssh to some machine where your key has
already been installed (and to which previous attempts required a
passphrase).  If all is working correctly, ssh-agent will handle the key
decryption process so that you don't have to enter your passphrase.
	The ssh-agent started when X windows starts up will handle key 
requests from _any_ window in that X display; if you start up one of your 
own, it will only answer requests from that specific terminal.
	Once again, my apologies for answering too quickly - I answered
the question I expected to hear.  50 lashes with a wet noodle coming up.  
:-)
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the
technology."
        -- Bruce Schneier, Secrets and Lies
--------------------------------------------------------------------------
William Stearns (wstearns at pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------

More information about the gnhlug-discuss mailing list