The use of an SSH agent makes it unnecessary to type in the (normally long and complex) passphrase each time the ssh
program is called.
In an initialization run for SSH the key pairs are generated, stored in the local files and distributed to the communications partners. The SSH agent is started at the beginning of an interactive session and at the start of a script by calling the ssh-agent
command (see http://www.openssh.com). The necessary private keys are then transferred to it by means of ssh-add
. The SSH agent maintains these private keys in encrypted form in the memory. For this decryption process it requires the passphrases, if any were specified.
From this point until the SSH agent is terminated, SSH clients contact the SSH agent automatically for all key-related operations. If a remote connection is to be set up by means of an ssh
call, the local SSH agent and the remote sshd daemon automatically execute the required authentication procedure.
If a passphrase is used, it needs only be entered once. It is read from the current terminal by ssh-add
if ssh-add
was started from the terminal. If no terminal has been assigned to ssh-add
but the DISPLAY
and SSH_ASKPASS
variables are set, the program specified by SSH_ASKPASS
is executed and an X11 window for reading the passphrase opens. This is useful if ssh-add
is called in a .Xsession or in a startup script.
Example
ssh-keygen -b 1024 -t rsa -C <comment> -N "<passphrase>" # Generates a 1024 bit RSA key in SSH Version 2 protected by a passphrase ssh-agent /bin/csh # The path to a shell or a shell script can be specified as an argument ssh-add # By default loads all keys of the identity file
The environment variables which point to the SSH agent’s socket must be set to permit the SSH client to communicate with the agent. The ssh-agent
program supplies the information required for this purpose when it returns:
Example
# In SSH Version 2 Notation: SSH2_AUTH_SOCK=/tmp/ssh-JGK12327/agent.12327; export SSH2_AUTH_SOCK; SSH2_AGENT_PID=12328; export SSH2_AGENT_PID;
These output commands of the ssh-agent
program can be executed by means of the eval
command. Please note the reverse quotes (`) here:
eval `ssh-agent ...`
The eval
command instructs the shell to execute the ssh-agent
command and then to execute the commands generated by it. The shell variables SSH_AUTH_SOCK
and SSH_AGENT_PID
are then available. After the eval `ssh-agent`
command has been executed, the SSH agent’s PID is output.
The eval `ssh-agent`
command should be included in the ~/.bash_profile file.
Shell scripts
If SSH shell scripts are to be used, the SSH agent can be installed, the correct environment can be set and the agent can be supplied with the necessary keys and passphrases in an initialization phase or in a startup script before the script is started with the ssh
calls.
In addition, the SSH script must be instrumented in order to set these values in the environment variables. To do this, the output of the ssh-agent
program must have been stored in an auxiliary file which is then executed in the script by means of the dot command.
Example
ssh-agent|head -2 > <auxfile> # Store environment in initialization phase : : : . <auxfile> # Set environment in script