ssh-agent is a program that used together with OpenSSH or similar SSH programs provides a secure way of storing the private key.
Public-key cryptography plays the central role in the idea of logging into a server from a local machine via SSH. The main point is that a key pair will be generated consisting of a private key and a public key. The public key is available for everyone and often stored on public key servers. Any user has access to this key, whereas the private key must be kept secretly. It is used to decrypt any message encrypted with the public key.
A password-based authentication process (in the common example of OpenSSH) may be vulnerable to brute-force attacks, if no mechanism is in place to detect them. To mitigate this lack of security, ssh supports public key authentication. In order to log in securely to a remote system via a secure shell, a private key/public key pair is generated. The private key is stored on the local machine. The public key is stored on the target machine in the $HOME/.ssh/authorized_keys file. Public keys are not sensitive information and may be known to anybody, whereas the private key needs to be protected very carefully by a strong passphrase. ssh-agent remembers the decrypted private key so that the user does not need to type a passphrase every time he or she wants to connect or send data to the server.
- ssh-agent is a program that runs as a daemon. You tell it what your passphrase is, and it provides the passphrase information to the ssh clients when they are interrogated by a server.
- The easiest way to start the agent is during your X server startup:
% ssh-agent xinit
- If you are unable to start the X server yourself (for example, if you use the graphical CDE logins from in the CSE labs), the next best option is to invoke the agent with starting your window manager. This is typically done in the .xsession file, but may vary depending on what window environment you use. If you used CTWM as your window manager, you might have a line like this in your .xsession file:
ssh-agent ctwm &
The ssh-agent
command creates the daemon and adds some environment variables telling any children how to contact the daemon.
- To enter your passphrase, you need to run
ssh-add
. If you add the following line to your .xsession or .xinitrc, you can have it pop up a window to type your passphrase into:
ssh-add < /dev/null
If you run ssh-add without the redirect, it will prompt for a password in the terminal window, which is usually not what you want.
- http://en.wikipedia.org/wiki/Openssh
- http://en.wikipedia.org/wiki/Ssh-agent