[ Team LiB ] |
Recipe 6.9 Authenticating Without a Password (Interactively)6.9.1 ProblemYou want to authenticate without typing a password or passphrase. 6.9.2 SolutionUse ssh-agent, invoking it within backticks as shown: $ eval `ssh-agent` Add your keys to the agent using ssh-add: $ ssh-add Enter passphrase for /home/smith/.ssh/id_dsa: ******** Then log in using public-key authentication and you won't be prompted for a passphrase: [Recipe 6.4] $ ssh -l remoteuser remotehost Some Linux distributions automatically run ssh-agent when you log in under an X session manager. In this case just skip the ssh-agent invocation. 6.9.3 DiscussionThe SSH agent, controlled by the programs ssh-agent and ssh-add, maintains a cache of private keys on your local (client) machine. You load keys into the agent, typing their passphrases to decrypt them. SSH clients (ssh, scp, sftp) then query the agent transparently about keys, rather than prompting you for a passphrase. The invocation of ssh-agent might look a little odd with the eval and backticks: $ eval `ssh-agent` but it is necessary because ssh-agent prints several commands on the standard output that set environment variables when run. To view these commands for testing, run ssh-agent alone: $ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-XXNe6NhE/agent.13583; export SSH_AUTH_SOCK; SSH_AGENT_PID=13584; export SSH_AGENT_PID; echo Agent pid 13584; and then kill it manually (kill 13584).[2]
ssh-add, invoked with no command-line arguments, adds your default keys to the cache. To add a selected key, simply list it: $ ssh-add ~/.ssh/other_key Removing keys is done like this: Remove one key: $ ssh-add -d ~/.ssh/other_key Remove all keys: $ ssh-add -D A tempting but naive alternative to ssh-agent is a key with an empty passphrase, called a plaintext key. If you authenticate with this key, indeed, no passphrase is needed . . . but this is risky! If a cracker steals your plaintext key, he can immediately impersonate you on every machine that contains the corresponding public key. For interactive use, there is no reason to use a plaintext key. It's like putting your login password into a file named password.here.please.steal.me. Don't do it. Use ssh-agent instead. Another way to avoid passphrases is to use hostbased (trusted host) authentication [Recipe 6.8], but for interactive use we recommend public-key authentication with ssh-agent as inherently more secure. 6.9.4 See Alsossh-agent(1), ssh-add(1). |
[ Team LiB ] |