SSH with Certificates

From Zanecorpwiki

Jump to: navigation, search

Basics

The Secure SHell (SSH) is one of the handiest and under-appreciated programs in the *nix world. Why that's so is outside of the scope for this article, which is about an underutilized trick to make SSH and it's adjunct commands (like scp) even more useful: certificate based authentication.

In most, when one uses SSH or an SSH-based program/protocol, the user gets presented with a username/password prompt. Straightforward and easy. But when you're doing a lot of work with a remote machine, or trying using automated scripts, this form of authentication can become wearisome and problematic.

The solution: use certificate based authentication. The process is simple enough, simply create a public-private certificate on the client machine and register the public key with the server you want to authenticate too. Now, when you start a session, start the ssh-agent, add your private key to the agent, and now the agent will use the key to authenticate to the server and you won't have to constantly enter your password.

I've gone ahead and encapsulated this in a scripts: ssh-setup-keys. Copy that to ~/bin (or elsewhere) and make it executable: 

chmod a+x ~/bin/ssh-setup-keys

ssh-setup-keys is a handy wizard that walks you through the steps and configures your bash shell to automatically start the SSH agent if not already done. The first time you run the script, be sure and call it like: 

ssh-setup-keys -a

The '-a' is what automates starting the agent from that point on. (See discussion below if you don't want to do this.) You'll have to log into a new shell for these changes to take effect.

Now, after you login with your bash properly configured, you'll see a message about the 'Agent pid...' and you can now simply type: 

ssh-add

whenever you're ready to start an SSH session and you're good to go.

Discussion and Credits

The script encrypts your private key with a password. This protects the key should it ever get out. If you are the sole user and root on your machine, and the machine is reasonably secure, you could drop the password and be okay. However, since you only have to enter the password once per-session, it's highly recommended you keep the password protection in place and use a fairly decent password.

Because the private key used by ssh-agent is password protected, we don't automatically add it as that would force the user to enter the password every time they logged in or started a new shell. Many shells will not be used for SSH access, so it would be a waste of time. Furthermore, having the agent sitting there with keys loaded is a security risk since anyone could wander up to your console and SSH to anything you'd set up to use key-based authentication.

On that point, it's also a good idea to kill the agent when not in use. This can be accomplished with: 

ssh-agent -k

You can then restart the agent with: 

ssh-start-agent

If you don't want to start the agent, don't. Unless you change the configuration on the remote server, you can still use good old passwords as well. This allows you to forgo starting the agent (with attendant security risks) when it's not necessary.

To start the agent manually, run the code found in the ssh-setup-keys script by copying and pasting to your shell. It's not possible to run this code as a function because the variables created cannot be pushed to the parent process.

Thanks to Mark A. Hershberger wonderfully clear tutorial on how to accomplish all this in (more or less) the best way.

Retrieved from "http://www.zanecorp.com/wiki/index.php/SSH_with_Certificates"
Personal tools
NEW CHANGED