Javascript required
Skip to content Skip to sidebar Skip to footer

Github Bad Passphrase Try Again for Ssh-add

During keyring configuration for the Nextcloud client (see the Linux: the Nextcloud customer, qtkeychain and the "The name org.freedesktop.secrets was non provided by whatsoever .service files" error mail) – I decided to clean up the mess in my SSH keys, as I have a lot of them and sometimes authentication became just hurting.

In general to brand this simpler ane tin use system-broad storage like gnome-keyring or KeeyPassXC, but we will speak about them in the adjacent post.

Today, permit's hash out ssh-amanuensis and how to use it to manage countersign-protected RSA keys for SSH authentication without such a backends.

Examples below performed on an Curvation Linux installation with some additional tests Manjaro Linux with Budgie DE.

ssh-agent

ssh-agent is intended to manage a user's SSH keys and their passwords to avoid the necessity to enter a key's password each time you need to log in a remote host using such a key for your authentication.

Running the amanuensis

Only perform:

ssh-amanuensis

SSH_AUTH_SOCK=/tmp/ssh-dMDE5mED77tM/agent.436347; export SSH_AUTH_SOCK;

SSH_AGENT_PID=436348; export SSH_AGENT_PID;

repeat Agent pid 436348;

For clients, such as ssh-client or git, they need to know the following variables:

  • SSH_AGENT_PID: a started ssh-amanuensis PID, that will be sued for example to impale information technology with ssh-agent -k
  • SSH_AUTH_SOCK: a path to a UNIX socket file which volition exist used to communicate to the ssh-agent from clients (ssh, git, etc)

To run an agent without displaying these variables and to apply them – exercise the adjacent:

eval $(ssh-agent) > /dev/zilch

There are few diverse ways to run the amanuensis, we volition take a closer look at the Running ssh-agent with multitype terminals part.

Examples

Let's take an overview of ssh-agent basic usage.

A cardinal generation

Create a new central:

ssh-keygen -t rsa -b 2048 -f /home/setevoy/.ssh/test-key -C "Testing cardinal" -P laissez passer

Generating public/individual rsa key pair.

Your identification has been saved in /home/setevoy/.ssh/test-cardinal.

Your public key has been saved in /habitation/setevoy/.ssh/examination-primal.pub.

The fundamental fingerprint is:

SHA256:pTyrGtk1hnNHB6b8ilp5jRe1+K4KrLHg50yUGilApLY Testing key

The cardinal'due south randomart image is:

+---[RSA 2048]----+

|.o        o      |

|o      . o .     |

|o.      o o o    |

|o .. . o = + .   |

|.Eo o o S = .    |

| . + + B O o     |

|  o = B = o .    |

| . +.B + . .     |

|  .oB.. .....    |

+----[SHA256]-----+

Options here:

  • -t: blazon, RSA
  • -b: a key's length in bits (by default 3072 for RSA)
  • -f: a path to the central's file (by default ~/.ssh/id_rsa)
  • -C: a annotate for the key (by default username@hostname)
  • -P: a key's countersign
Checking SSH-key's password

To check a password for a key you can utilise  thessh-keygen with -y to display information near this key, and this volition ask you lot to enter this key's countersign:

ssh-keygen -y -f /home/setevoy/.ssh/test-key

Enter passphrase:

ssh-rsa AAAAB***gud2vedL/V Testing fundamental

ssh-re-create-id – copy a key to a remote host

You can copy a key manually, by getting its public part from the test-key.pub file:

cat .ssh/exam-central.pub

ssh-rsa AAAAB***gud2vedL/V Testing central

And past adding it to the ~/.ssh/authorized_keys on a target host.

Another style, the recommended one, is to use an ssh-copy-id utility which will practice the same simply likewise volition keep an center on folders/files permissions – the almost frequent problem during SSH RSA-based authentification:

ssh-copy-id -i /home/setevoy/.ssh/examination-key setevoy@rtfm.co.ua

/usr/bin/ssh-copy-id: INFO: Source of key(s) to exist installed: "/dwelling house/setevoy/.ssh/examination-key.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new central(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(southward) remain to be installed -- if y'all are prompted at present information technology is to install the new keys

setevoy@rtfm.co.ua's password:

Number of key(due south) added: 1

At present try logging into the automobile, with:   "ssh 'setevoy@rtfm.co.ua'"

and check to make certain that only the key(s) you wanted were added.

Now you can log in using this key:

ssh setevoy@rtfm.co.ua -i .ssh/test-key

Enter passphrase for key '.ssh/test-key':

Linux rtfm-do-product 4.ix.0-8-amd64 #ane SMP Debian four.9.144-3.1 (2019-02-19) x86_64

...

setevoy@rtfm-do-production:~$

ssh-add

Okay, so now nosotros exercise have a password-protected RSA primal for SSH authentication.

But during each SSH-login, you'll have to enter its countersign over again and once again and this will exist a real pain when using a lot of connections and keys.

To avert this issue – add a cardinal to the ssh-amanuensis using ssh-add.

Check if it is running:

ps aux | grep ssh-agent

setevoy     1322  0.0  0.0   5796   456 ?        Ss   Nov30   0:00 ssh-agent -s

setevoy     1324  0.0  0.0   5796  2160 ?        Ss   Nov30   0:00 ssh-agent -southward

...

Could not open a connectedness to your hallmark agent

The near common problem is when ssh-add is not able to connect to an agent:

ssh-add together

Could not open a connection to your hallmark agent.

At showtime – check if it's PID is set from the SSH_AGENT_PID, or by checking the $SSH_AUTH_SOCK variable as all advice is gone via the socket-file specified past this variable:

test -z $SSH_AGENT_PID; echo $?

Here is information technology empty, because thessh-agent was started in another terminal instance (we will speak shortly how to handle it).

For now – impale all already running instances:

And run an amanuensis's instance anew:

eval $(ssh-agent -due south)

Agent pid 452333

Nosotros are using the-s selection every bit not everybody will do the steps above from the exactly bash trounce and eval to apply the strings from the agent's output (consign SSH_AUTH_SOCK).

Check once again:

test -z $SSH_AGENT_PID; echo $?

1

And ssh-add:

ssh-add together -l

The agent has no identities.

All washed here.

Calculation a key

Run:

ssh-add /home/setevoy/.ssh/test-primal

Enter passphrase for /home/setevoy/.ssh/test-key:

Identity added: /home/setevoy/.ssh/examination-key (Testing cardinal)

Checking keys

Use the -l selection to check which keys are already loaded to an amanuensis'due south instance:

ssh-add -l

2048 SHA256:pTyrGtk1hnNHB6b8ilp5jRe1+K4KrLHg50yUGilApLY Testing primal (RSA)

Deleting central(due south)

Use -d to delete 1 key:

ssh-add -d .ssh/test-key

Identity removed: .ssh/test-key (Testing key)

And -D to delete all keys at in one case:

ssh-add -D

All identities removed.

Automatically adding keys to ssh-agent

To brand ssh (and git for example) calculation used keys to an ssh-agent without the necessity to run ssh-add manually you tin add the AddKeysToAgent parameter to theв ~/.ssh/config and specify one of the following options – yeah, confirm or ask (см. SSH_ASKPASS):

head -1 .ssh/config

AddKeysToAgent yeah

Let'south check – in that location is nada added at this moment:

ssh-add together -l

The agent has no identities.

Make a connection, enter a key'south countersign:

ssh -i .ssh/examination-key setevoy@rtfm.co.ua

Enter passphrase for central '.ssh/test-key':

...

setevoy@rtfm-practice-production:~$

Disconnect, and check keys in the agent now:

setevoy@rtfm-practise-production:~$ logout

Connection to rtfm.co.ua closed.

ssh-add -l

2048 SHA256:pTyrGtk1hnNHB6b8ilp5jRe1+K4KrLHg50yUGilApLY Testing key (RSA)

On the next connection – the ssh client will use the central from the amanuensis and will not inquire you lot for the central's password once again:

ssh -i .ssh/test-key setevoy@rtfm.co.ua

...

setevoy@rtfm-do-production:~$

Running ssh-agent with multitype terminals

Some other big question is what to practice when you take few bash-sessions, for instance in various terminals' tabs, as it will non has the $SSH_AUTH_SOCK variable set and an ssh client will not be able to communicate with an already running ssh-agent instance.

I.e. when you'll run ssh-add together in a new final – you lot'll encounter the already mentioned "Could not open a connection to your hallmark agent" error:

ssh-add -fifty

Could not open up a connectedness to your authentication agent.

~/.bashrc

There is a few means to brand the initialization of the variables during new bash session initialization, for instance, you can add together the following to your ~/.bashrc:

if [ -z "$SSH_AUTH_SOCK" ] ; then   eval `ssh-agent -s`   ssh-add /home/setevoy/.ssh/test-cardinal fi

But in this case, each bash-sessions volition has its ain ssh-amanuensis running, which is non a trouble but maybe non what you'd like to accept.

Another way could be the following code added to the ~/.bashrc:

ssh-add together -l &>/dev/null if [ "$?" == two ]; and then   test -r ~/.ssh-amanuensis-env && \     eval "$(<~/.ssh-agent-env)" >/dev/null    ssh-add -l &>/dev/null   if [ "$?" == 2 ]; then     (umask 066; ssh-agent > ~/.ssh-agent-env)     eval "$(<~/.ssh-agent-env)" >/dev/null     ssh-add together /home/setevoy/.ssh/examination-fundamental   fi fi

Here (see response codes in the ssh-agent documentation):

  1. endeavor to execute ssh-add -l, and redirect output to the /dev/null
  2. bank check returned code of the previous command:
    1. if it is == 2 (error connect to an agent):
      1. check if ~/.ssh-agent-env is present and bachelor for reading,  read information technology and pass its output to the bash
      2. retry ssh-add together -fifty
      3. if lawmaking notwithstanding ii:
        1. create the ~/.ssh-agent-env file with the 660 permissions (read-write for an possessor only)
        2. outset ssh-agent and redirects its output into the .ssh-agent-env file
        3. read the .ssh-agent-env content and pass it via a piping to the bash
        4. run ssh-add /home/setevoy/.ssh/test-key

Non a bad solution, and in this way all our sessions will employ the same amanuensis, although some guides suggesting to take dissimilar agents for personal and work usage

systemd

Another solution could be to create a dedicated systemd service by calculation a unit  file and by running ssh-agent as a systemd service, come across the Curvation Wiki for the details.

Create a directory if not added nonetheless:

mkdir -p .config/systemd/user/

And create a ~/.config/systemd/user/ssh-agent.service file there:

[Unit] Description=SSH key agent  [Service] Type=uncomplicated Environs=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK  [Install] WantedBy=default.target

Next, Wiki told nigh the ~/.pam_environment file for variables, but in my electric current case I accept Openbox and usually set variables via .config/openbox/autostart file:

head -2 .config/openbox/autostart

ssh-agent.service

SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"

Past the way, recalled almost nigh such a thing equally setting default values in Fustigate – Fustigate: переменные — передача значений по-умолчанию ${var:-defaultvalue}, замена значений — ${var:+alternatevalue} и сообщений — ${var:?message} (Rus)

Now, stop all agents running:

Bank check the $XDG_RUNTIME_DIR variable value:

echo $XDG_RUNTIME_DIR

/run/user/g

For now, set the $SSH_AUTH_SOCK variable manually:

SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-amanuensis.socket"

And run an agent via systemctl --user:

systemctl --user offset ssh-agent

Check it:

systemctl --user status ssh-agent

● ssh-agent.service - SSH key agent

 Loaded: loaded (/abode/setevoy/.config/systemd/user/ssh-agent.service; disabled; vendor preset: enabled)

  Active: active (running) since Lord's day 2019-12-01 09:15:xviii EET; 2s ago

Main PID: 497687 (ssh-agent)

  CGroup: /user.slice/user-grand.slice/user@1000.service/ssh-agent.service

          └─497687 /usr/bin/ssh-agent -D -a /run/user/1000/ssh-agent.socket

Dec 01 09:15:18 setevoy-arch-pc systemd[670]: Started SSH central amanuensis.

Dec 01 09:15:19 setevoy-arch-pc ssh-agent[497687]: SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket; export SSH_AUTH_SOCK;

December 01 09:15:19 setevoy-arch-pc ssh-amanuensis[497687]: echo Agent pid 497687;

A socket's variable:

echo $SSH_AUTH_SOCK

/run/user/chiliad/ssh-agent.socket

And try ssh-add:

ssh-add together -l

The agent has no identities.

"It works!" (c)

Y'all tin add to autostart now:

systemctl --user enable ssh-agent

Created symlink /home/setevoy/.config/systemd/user/default.target.wants/ssh-agent.service → /dwelling house/setevoy/.config/systemd/user/ssh-agent.service.

~/.xinitrc

One more way you can use  is by adding the agent's start to the~/.xinitrc.

In this case, when you'll execute the startx (for instance, as in my case, when I take no any login manager, and X.Org is started manually by entering the startx in the console) – at get-go, an agent volition be started and the – an Openbox session, see the documentation:

cat ~/.xinitrc

eval $(ssh-amanuensis) &

exec openbox-session

Also, as already mentioned at the very get-go of this post, there other implementations for the fundamental's backends that can exist used alongside or instead of the ssh-agent – kind of "wrappers" that will be or "proxy" requests from an ssh client to an ssh-agent'south instance, or will fully supervene upon the ssh-amanuensis itself and will store keys and passwords themselves, but we will speak most them in a following post(s?)..



Also published on Medium.

cawthornreack1999.blogspot.com

Source: https://rtfm.co.ua/en/ssh-rsa-keys-and-ssh-agent-for-ssh-keys-and-their-passwords-management/