Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Using SSH agents

The use of an SSH agent makes it unnecessary to type in the (normally long and complex) passphrase each time the ssh program is called.

In an initialization run for SSH the key pairs are generated, stored in the local files and distributed to the communications partners. The SSH agent is started at the beginning of an interactive session and at the start of a script by calling the ssh-agent command (see http://www.openssh.com). The necessary private keys are then transferred to it by means of ssh-add. The SSH agent maintains these private keys in encrypted form in the memory. For this decryption process it requires the passphrases, if any were specified.

From this point until the SSH agent is terminated, SSH clients contact the SSH agent automatically for all key-related operations. If a remote connection is to be set up by means of an ssh call, the local SSH agent and the remote sshd daemon automatically execute the required authentication procedure.

If a passphrase is used, it needs only be entered once. It is read from the current terminal by ssh-add if ssh-add was started from the terminal. If no terminal has been assigned to ssh-add but the DISPLAY and SSH_ASKPASS variables are set, the program specified by SSH_ASKPASS is executed and an X11 window for reading the passphrase opens. This is useful if ssh-add is called in a .Xsession or in a startup script.

Example

ssh-keygen -b 1024 -t rsa -C <comment> -N "<passphrase>" 
# Generates a 1024 bit RSA key in SSH Version 2 protected by a passphrase
ssh-agent /bin/csh # The path to a shell or a shell script can be specified as an argument
ssh-add # By default loads all keys of the identity file

The environment variables which point to the SSH agent’s socket must be set to permit the SSH client to communicate with the agent. The ssh-agent program supplies the information required for this purpose when it returns:

Example

# In SSH Version 2 Notation:
SSH2_AUTH_SOCK=/tmp/ssh-JGK12327/agent.12327; export SSH2_AUTH_SOCK;
SSH2_AGENT_PID=12328; export SSH2_AGENT_PID;

These output commands of the ssh-agent program can be executed by means of the eval command. Please note the reverse quotes (`) here:

eval `ssh-agent ...`

The eval command instructs the shell to execute the ssh-agent command and then to execute the commands generated by it. The shell variables SSH_AUTH_SOCK and SSH_AGENT_PID are then available. After the eval `ssh-agent` command has been executed, the SSH agent’s PID is output.

The eval `ssh-agent` command should be included in the ~/.bash_profile file.

Shell scripts

If SSH shell scripts are to be used, the SSH agent can be installed, the correct environment can be set and the agent can be supplied with the necessary keys and passphrases in an initialization phase or in a startup script before the script is started with the ssh calls.

In addition, the SSH script must be instrumented in order to set these values in the environment variables. To do this, the output of the ssh-agent program must have been stored in an auxiliary file which is then executed in the script by means of the dot command.

Example

ssh-agent|head -2 > <auxfile> # Store environment in initialization phase
:
:
:
. <auxfile> # Set environment in script