Github Bad Passphrase Try Again for Ssh-add
During keyring
configuration for the Nextcloud client (see the Linux: the Nextcloud customer, qtkeychain and the "The name org.freedesktop.secrets was non provided by whatsoever .service files" error mail) – I decided to clean up the mess in my SSH keys, as I have a lot of them and sometimes authentication became just hurting.
In general to brand this simpler ane tin use system-broad storage like gnome-keyring
or KeeyPassXC, but we will speak about them in the adjacent post.
Today, permit's hash out ssh-amanuensis
and how to use it to manage countersign-protected RSA keys for SSH authentication without such a backends.
Examples below performed on an Curvation Linux installation with some additional tests Manjaro Linux with Budgie DE.
ssh-agent
ssh-agent
is intended to manage a user's SSH keys and their passwords to avoid the necessity to enter a key's password each time you need to log in a remote host using such a key for your authentication.
Running the amanuensis
Only perform:
ssh-amanuensis
SSH_AUTH_SOCK=/tmp/ssh-dMDE5mED77tM/agent.436347; export SSH_AUTH_SOCK;
SSH_AGENT_PID=436348; export SSH_AGENT_PID;
repeat Agent pid 436348;
For clients, such as ssh-client or git, they need to know the following variables:
-
SSH_AGENT_PID
: a startedssh-amanuensis
PID, that will be sued for example to impale information technology withssh-agent -k
-
SSH_AUTH_SOCK
: a path to a UNIX socket file which volition exist used to communicate to thessh-agent
from clients (ssh
,git
, etc)
To run an agent without displaying these variables and to apply them – exercise the adjacent:
eval $(ssh-agent) > /dev/zilch
There are few diverse ways to run the amanuensis, we volition take a closer look at the Running ssh-agent with multitype terminals part.
Examples
Let's take an overview of ssh-agent
basic usage.
A cardinal generation
Create a new central:
ssh-keygen -t rsa -b 2048 -f /home/setevoy/.ssh/test-key -C "Testing cardinal" -P laissez passer
Generating public/individual rsa key pair.
Your identification has been saved in /home/setevoy/.ssh/test-cardinal.
Your public key has been saved in /habitation/setevoy/.ssh/examination-primal.pub.
The fundamental fingerprint is:
SHA256:pTyrGtk1hnNHB6b8ilp5jRe1+K4KrLHg50yUGilApLY Testing key
The cardinal'due south randomart image is:
+---[RSA 2048]----+
|.o o |
|o . o . |
|o. o o o |
|o .. . o = + . |
|.Eo o o S = . |
| . + + B O o |
| o = B = o . |
| . +.B + . . |
| .oB.. ..... |
+----[SHA256]-----+
Options here:
-
-t
: blazon, RSA -
-b
: a key's length in bits (by default 3072 for RSA) -
-f
: a path to the central's file (by default~/.ssh/id_rsa
) -
-C
: a annotate for the key (by default username@hostname) -
-P
: a key's countersign
Checking SSH-key's password
To check a password for a key you can utilise thessh-keygen
with -y
to display information near this key, and this volition ask you lot to enter this key's countersign:
ssh-keygen -y -f /home/setevoy/.ssh/test-key
Enter passphrase:
ssh-rsa AAAAB***gud2vedL/V Testing fundamental
ssh-re-create-id
– copy a key to a remote host
You can copy a key manually, by getting its public part from the test-key.pub file:
cat .ssh/exam-central.pub
ssh-rsa AAAAB***gud2vedL/V Testing central
And past adding it to the ~/.ssh/authorized_keys
on a target host.
Another style, the recommended one, is to use an ssh-copy-id
utility which will practice the same simply likewise volition keep an center on folders/files permissions – the almost frequent problem during SSH RSA-based authentification:
ssh-copy-id -i /home/setevoy/.ssh/examination-key setevoy@rtfm.co.ua
/usr/bin/ssh-copy-id: INFO: Source of key(s) to exist installed: "/dwelling house/setevoy/.ssh/examination-key.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new central(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(southward) remain to be installed -- if y'all are prompted at present information technology is to install the new keys
setevoy@rtfm.co.ua's password:
Number of key(due south) added: 1
At present try logging into the automobile, with: "ssh 'setevoy@rtfm.co.ua'"
and check to make certain that only the key(s) you wanted were added.
Now you can log in using this key:
ssh setevoy@rtfm.co.ua -i .ssh/test-key
Enter passphrase for key '.ssh/test-key':
Linux rtfm-do-product 4.ix.0-8-amd64 #ane SMP Debian four.9.144-3.1 (2019-02-19) x86_64
...
setevoy@rtfm-do-production:~$
ssh-add
Okay, so now nosotros exercise have a password-protected RSA primal for SSH authentication.
But during each SSH-login, you'll have to enter its countersign over again and once again and this will exist a real pain when using a lot of connections and keys.
To avert this issue – add a cardinal to the ssh-amanuensis
using ssh-add
.
Check if it is running:
ps aux | grep ssh-agent
setevoy 1322 0.0 0.0 5796 456 ? Ss Nov30 0:00 ssh-agent -s
setevoy 1324 0.0 0.0 5796 2160 ? Ss Nov30 0:00 ssh-agent -southward
...
Could not open a connectedness to your hallmark agent
The near common problem is when ssh-add
is not able to connect to an agent:
ssh-add together
Could not open a connection to your hallmark agent.
At showtime – check if it's PID is set from the SSH_AGENT_PID
, or by checking the $SSH_AUTH_SOCK
variable as all advice is gone via the socket-file specified past this variable:
test -z $SSH_AGENT_PID; echo $?
Here is information technology empty, because thessh-agent
was started in another terminal instance (we will speak shortly how to handle it).
For now – impale all already running instances:
And run an amanuensis's instance anew:
eval $(ssh-agent -due south)
Agent pid 452333
Nosotros are using the-s
selection every bit not everybody will do the steps above from the exactly bash
trounce and eval
to apply the strings from the agent's output (consign SSH_AUTH_SOCK
).
Check once again:
test -z $SSH_AGENT_PID; echo $?
1
And ssh-add
:
ssh-add together -l
The agent has no identities.
All washed here.
Calculation a key
Run:
ssh-add /home/setevoy/.ssh/test-primal
Enter passphrase for /home/setevoy/.ssh/test-key:
Identity added: /home/setevoy/.ssh/examination-key (Testing cardinal)
Checking keys
Use the -l
selection to check which keys are already loaded to an amanuensis'due south instance:
ssh-add -l
2048 SHA256:pTyrGtk1hnNHB6b8ilp5jRe1+K4KrLHg50yUGilApLY Testing primal (RSA)
Deleting central(due south)
Use -d
to delete 1 key:
ssh-add -d .ssh/test-key
Identity removed: .ssh/test-key (Testing key)
And -D
to delete all keys at in one case:
ssh-add -D
All identities removed.
Automatically adding keys to ssh-agent
To brand ssh
(and git
for example) calculation used keys to an ssh-agent
without the necessity to run ssh-add
manually you tin add the AddKeysToAgent
parameter to theв ~/.ssh/config
and specify one of the following options – yeah, confirm or ask (см. SSH_ASKPASS
):
head -1 .ssh/config
AddKeysToAgent yeah
Let'south check – in that location is nada added at this moment:
ssh-add together -l
The agent has no identities.
Make a connection, enter a key'south countersign:
ssh -i .ssh/examination-key setevoy@rtfm.co.ua
Enter passphrase for central '.ssh/test-key':
...
setevoy@rtfm-practice-production:~$
Disconnect, and check keys in the agent now:
setevoy@rtfm-practise-production:~$ logout
Connection to rtfm.co.ua closed.
ssh-add -l
2048 SHA256:pTyrGtk1hnNHB6b8ilp5jRe1+K4KrLHg50yUGilApLY Testing key (RSA)
On the next connection – the ssh
client will use the central from the amanuensis and will not inquire you lot for the central's password once again:
ssh -i .ssh/test-key setevoy@rtfm.co.ua
...
setevoy@rtfm-do-production:~$
Running ssh-agent
with multitype terminals
Some other big question is what to practice when you take few bash-sessions, for instance in various terminals' tabs, as it will non has the $SSH_AUTH_SOCK
variable set and an ssh client will not be able to communicate with an already running ssh-agent
instance.
I.e. when you'll run ssh-add together
in a new final – you lot'll encounter the already mentioned "Could not open a connection to your hallmark agent" error:
ssh-add -fifty
Could not open up a connectedness to your authentication agent.
~/.bashrc
There is a few means to brand the initialization of the variables during new bash session initialization, for instance, you can add together the following to your ~/.bashrc
:
if [ -z "$SSH_AUTH_SOCK" ] ; then eval `ssh-agent -s` ssh-add /home/setevoy/.ssh/test-cardinal fi
But in this case, each bash-sessions volition has its ain ssh-amanuensis running, which is non a trouble but maybe non what you'd like to accept.
Another way could be the following code added to the ~/.bashrc
:
ssh-add together -l &>/dev/null if [ "$?" == two ]; and then test -r ~/.ssh-amanuensis-env && \ eval "$(<~/.ssh-agent-env)" >/dev/null ssh-add -l &>/dev/null if [ "$?" == 2 ]; then (umask 066; ssh-agent > ~/.ssh-agent-env) eval "$(<~/.ssh-agent-env)" >/dev/null ssh-add together /home/setevoy/.ssh/examination-fundamental fi fi
Here (see response codes in the ssh-agent
documentation):
- endeavor to execute
ssh-add -l
, and redirect output to the/dev/null
- bank check returned code of the previous command:
- if it is == 2 (error connect to an agent):
- check if
~/.ssh-agent-env
is present and bachelor for reading, read information technology and pass its output to thebash
- retry
ssh-add together -fifty
- if lawmaking notwithstanding ii:
- create the
~/.ssh-agent-env
file with the 660 permissions (read-write for an possessor only) - outset
ssh-agent
and redirects its output into the.ssh-agent-env
file - read the
.ssh-agent-env
content and pass it via a piping to thebash
- run
ssh-add /home/setevoy/.ssh/test-key
- create the
- check if
- if it is == 2 (error connect to an agent):
Non a bad solution, and in this way all our sessions will employ the same amanuensis, although some guides suggesting to take dissimilar agents for personal and work usage
systemd
Another solution could be to create a dedicated systemd
service by calculation a unit file and by running ssh-agent
as a systemd
service, come across the Curvation Wiki for the details.
Create a directory if not added nonetheless:
mkdir -p .config/systemd/user/
And create a ~/.config/systemd/user/ssh-agent.service
file there:
[Unit] Description=SSH key agent [Service] Type=uncomplicated Environs=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK [Install] WantedBy=default.target
Next, Wiki told nigh the ~/.pam_environment
file for variables, but in my electric current case I accept Openbox and usually set variables via .config/openbox/autostart
file:
head -2 .config/openbox/autostart
ssh-agent.service
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"
Past the way, recalled almost nigh such a thing equally setting default values in Fustigate – Fustigate: переменные — передача значений по-умолчанию ${var:-defaultvalue}, замена значений — ${var:+alternatevalue} и сообщений — ${var:?message} (Rus)
Now, stop all agents running:
Bank check the $XDG_RUNTIME_DIR
variable value:
echo $XDG_RUNTIME_DIR
/run/user/g
For now, set the $SSH_AUTH_SOCK
variable manually:
SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-amanuensis.socket"
And run an agent via systemctl --user
:
systemctl --user offset ssh-agent
Check it:
systemctl --user status ssh-agent
● ssh-agent.service - SSH key agent
Loaded: loaded (/abode/setevoy/.config/systemd/user/ssh-agent.service; disabled; vendor preset: enabled)
Active: active (running) since Lord's day 2019-12-01 09:15:xviii EET; 2s ago
Main PID: 497687 (ssh-agent)
CGroup: /user.slice/user-grand.slice/user@1000.service/ssh-agent.service
└─497687 /usr/bin/ssh-agent -D -a /run/user/1000/ssh-agent.socket
Dec 01 09:15:18 setevoy-arch-pc systemd[670]: Started SSH central amanuensis.
Dec 01 09:15:19 setevoy-arch-pc ssh-agent[497687]: SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket; export SSH_AUTH_SOCK;
December 01 09:15:19 setevoy-arch-pc ssh-amanuensis[497687]: echo Agent pid 497687;
A socket's variable:
echo $SSH_AUTH_SOCK
/run/user/chiliad/ssh-agent.socket
And try ssh-add
:
ssh-add together -l
The agent has no identities.
"It works!" (c)
Y'all tin add to autostart now:
systemctl --user enable ssh-agent
Created symlink /home/setevoy/.config/systemd/user/default.target.wants/ssh-agent.service → /dwelling house/setevoy/.config/systemd/user/ssh-agent.service.
~/.xinitrc
One more way you can use is by adding the agent's start to the~/.xinitrc
.
In this case, when you'll execute the startx
(for instance, as in my case, when I take no any login manager, and X.Org is started manually by entering the startx
in the console) – at get-go, an agent volition be started and the – an Openbox session, see the documentation:
cat ~/.xinitrc
eval $(ssh-amanuensis) &
exec openbox-session
Also, as already mentioned at the very get-go of this post, there other implementations for the fundamental's backends that can exist used alongside or instead of the ssh-agent
– kind of "wrappers" that will be or "proxy" requests from an ssh client to an ssh-agent
'south instance, or will fully supervene upon the ssh-amanuensis itself and will store keys and passwords themselves, but we will speak most them in a following post(s?)..
Also published on Medium.
cawthornreack1999.blogspot.com
Source: https://rtfm.co.ua/en/ssh-rsa-keys-and-ssh-agent-for-ssh-keys-and-their-passwords-management/