How To
Summary
This technote addresses using a passphrase with an OpenSSH key file, and how to use ssh-agent to store this passphrase.
Steps
OpenSSH public key authentication is a common way to allow a trusted user to log in to an account on a remote system without needing to enter a password.
This is typically achieved by:
1) Create a public key pair:
# ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
2) Leave the passphrase empty when prompted:
Generating public/private ed25519 key pair.
Created directory '/home/user123/.ssh'.
Enter passphrase (empty for no passphrase):
3) Add the resulting 'id_ed25519.pub' file into the ~/.ssh/authorized_keys file of the account on the remote system.
Now, when 'user123' performs an ssh to the account on the remote system, they will be let in without being prompted for a password - assuming there are no other issues like incorrect permissions on the ~/.ssh directory or the authorized_keys file.
What happens when adding a passphrase to the key pair for added security? When running ssh-keygen, add the passphrase and there will be a prompt to confirm it:
# ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
Generating public/private ed25519 key pair.
Created directory '/home/user123/.ssh'.
Enter passphrase (empty for no passphrase): <enter passphrase this time>
Enter same passphrase again:
...etc...
After adding the public key to the authorized_keys file on the destination account, it will prompt for the key file's passphrase every time an ssh session is initiated:
# ssh user234@lab108
Enter passphrase for key '/home/user123/.ssh/id_rsa':
That is more secure, but also loses some of the convenience of public key login. The initiating user doesn't need to know the destination account's password, but will need to enter the key file's passphrase every time.
To get around that, the ssh-agent can be used to store the key file passphrase.
To do that, at the start of the initating user's (user123) shell, start the agent:
eval `ssh-agent`
That starts the agent and creates a socket that ssh can communicate with the agent. The usage of 'eval' is needed in order to properly set the environment variables that specify the agent's socket and PID: SSH_AUTH_SOCK and SSH_AGENT_PID.
After starting ssh-agent, add the public key to the agent with this command:
# ssh-add
Enter passphrase for /home/user123/.ssh/id_ed25519:
Identity added: /home/user123/.ssh/id_ed25519 (user123@lab109)
At this point, as long as this shell is open with the agent running, there will be no prompt for the passphrase when doing public key authentication.
The ssh-agent will stay active after the shell is ended. To kill it, run this command before exiting:
# ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 15991252 killed;
If the agent is left active, it can only be reused if you've made note of the environment variables associated with it. For example:
# eval `ssh-agent`
Agent pid 10617096
# ssh-add
Enter passphrase for /home/user123/.ssh/id_ed25519:
Identity added: /home/user123/.ssh/id_ed25519 (user123@lab109)
# env | grep SSH
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXRY1aea/agent.6816190
SSH_AGENT_PID=10617096
Knowing those, if a new shell is started, the environment variables can be exported and the agent will still have the key loaded from earlier:
# su - user123
# export SSH_AUTH_SOCK=/tmp/ssh-XXXXXXRY1aea/agent.6816190
# export SSH_AGENT_PID=10617096
# ssh user234@lab108
<success, no passphrase needed>
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzvAAA","label":"AIX Open Source-\u003EOPENSSH\/OPENSSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
26 April 2024
UID
ibm17001497