ssh-agent

We have four servers at work that we use now; prime, hotrod, prowl and wheeljack. My laptop is called stormshadow and between it and each of the four servers I setup SSH auto-authentication. This is great, but when I log into hotrod, and then into prime, prime didn’t use the auto-authentication because it hadn’t been setup to allow hotrod, only stormshadow. To get around this I used a hack from my copy of O’Reilly’s “Linux Server Hacks”.

ssh-agent basically passes the request down the chain until it finds a server that will validate your credentials. So if I go: stormshadow > hotrod > prime then prime asks hotrod, and hotrod says “yo, Matty’s a good guy” and logs me in. Likewise, if I add prowl to the mix, then prowl asks prime, and prime asks hotrod, and hotrod knows that stormshadow is OK, so it passes back up the chain “OK, let him on”.

I had to setup authentication between stormshadow and each of the servers, which is simple enough. Then I used the following in my .bash_profile:

if [ -f ~/.agent.env ] ; then
. ~/.agent.env > /dev/null
if ! kill -0 $SSH_AGENT_PID > /dev/null 2>&1; then
echo "Stale agent file found. Spawning new agent... "
eval `ssh-agent | tee ~/.agent.env`
ssh-add
fi
else
echo "Starting ssh-agent"
eval `ssh-agent | tee ~/.agent.env`
ssh-add 
fi

This runs the first time I open a shell becuase I have configured GNOME-terminal to pretend it’s a login shell. This part’s important, otherwise your bash startup scripts are not triggered.

Now I can jump from server to server and never enter my password, and it’s no less-secure.

Update: 19/09/2005 03:38PM
You also need to the following:

mlambie@stormshadow:~$ cat .ssh/config
ForwardAgent yes

This makes it all work nicely.

3 Comments so far

  1. Hale on August 12th, 2005

    Bah, this would have come in handy for the entire time I was at UMS…

  2. mlambie on August 12th, 2005

    Always the way…

  3. Philippe on August 20th, 2005

    This is really handy man! thx