Ellarco sez:
....
> What does one have to do to achieve password/passphraseless login, or at least
> limit it to one passphrase per server?

1. Run ssh-agent and enable ForwardAgent, or
2. do not protect keys with passphrase.

Dima
--
The speed at which a mistyped command executes is directly proportional
to the amount of damage done. -- Joe Zeff

Ellarco writes:

>I am trying to set up passwordless login to a number of servers using OpenSSH
>and Keychain. Server 1, humpty, is accessible to me over any internet
>connection. Server 2, dumpty, is not. If I want to get into dumpty I have to go
>via humpty.

>Heres what Ive done.

>1. Created an RSA key pair using ssh-keygen.
>2. Copied id_rsa.pub to ~/.ssh on both humpty and dumpty.
>3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.

Very bad idea. Just copy the key.

As it is you will suddenly add another key into authorized_keys and screw
up your rsa key.

>4. Installed keychain on each server.
>5. Added these lines to the .bash_profiles

>~/keychain-2.6.1/keychain ~/.ssh/id_rsa
>[ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh

>and this line to the .bash_logouts

>~/keychain-2.6.1/keychain --stop mine

>Have I done this right? If so Im straining to see the advantage ... I am forever
>entering my passphrase, which is of course longer than my password! Heres what
>happens in an admittedly contrived session (there are other servers that I want
>to use this on so thats why Im tying the connections in knots ... just to test
>it out).

>* PuTTY from home to humpty: PuTTY asks for passphrase, then humpty asks for it
>** ssh into dumpty: dumpty asks for passphrase
>*** ssh back to humpty: no passphrase required (hurrah!)
>**** exit back to dumpty
>*** ssh back to humpty again: humpty asks for passphrase this time (what?!)
>**** exit back to dumpty
>*** exit back to humpty
>** ssh into dumpty again: humpty asks for passphrase, then dumpty asks for it!
>*** exit
>** exit
>* bang head and post to forum for help

>Seems a little strange to me.

>What does one have to do to achieve password/passphraseless login, or at least
>limit it to one passphrase per server?

>Thanks.

On 2006-01-08, Ellarco wrote:
[...]
> 3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.

Don't do that. If you add to authorized_keys in the future you may have
problems authenticating with the id_rsa key. Just copy it.

Also, authorized_keys2 is deprecated so you should use authorized_keys
instead.

[...]
> What does one have to do to achieve password/passphraseless login, or at least
> limit it to one passphrase per server?

For multi-hop connections (ie A -> B -> C) to use the agent you need to
enable ForwardAgent, which defaults to "no". See ssh_config(5).

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Ellarco wrote:
> I am trying to set up passwordless login to a number of servers using OpenSSH
> and Keychain. Server 1, humpty, is accessible to me over any internet
> connection. Server 2, dumpty, is not. If I want to get into dumpty I have to go
> via humpty.
>
> Heres what Ive done.
>
> 1. Created an RSA key pair using ssh-keygen.
> 2. Copied id_rsa.pub to ~/.ssh on both humpty and dumpty.
> 3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.

the instructions are to cat *.pub >> ~/.ssh/authorized_keys2


--
---
Jeff B (remove the No-Spam to reply)

Okay. Thanks all. I will remove the symlink. But I still need help with
ForwardAgent ... please.

On 2006-01-10, Ellarco wrote:
> Okay. Thanks all. I will remove the symlink. But I still need help with
> ForwardAgent ... please.

You just need to enable it in your ~/.ssh/config or ssh_config eg

Host yourhost
ForwardAgent yes

The ssh_config(5) man page has the details.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Hi, everyone.

I'm trying to use ssh-agent and keychain to solve a synchronization problem between our production servers - S1, S2, and S3 - and our DR servers DR1-3.

here is what I have so far:

I started wiht server S3, used ssh-keygen to make my key pair, copied the public key over to DR1-3, started keychain on S3, entered the passphrase, and now S3 can connect to DR1-3 without a password as the user we need it to. Great, one down, two more to go...

here's where things get tricky. So, I now want to set up S2 to be able to connect to DR1-3 the same way S3 does. Initially, my thought was, generate a new key pair on S2, copy the public key over to DR1-3, and start keychain on S2, and that would be it. Unfortunately, I still get prompted for my passphrase when I connect to any of the DR boxen.

I even tried to simply copy the keys from S3 over to S2, tweak the hostname in them, and use them that way, and it still doesn't work... I KNOW that the solution to this issue has to be something simple I'm just missing... any help from this august forum would be greatly appreciated.

thanks

--
DreadedAdmin -- BOFH in Training
Evil Overlord Checklist:
100 - Finally, to keep my subjects permanently locked in a mindless trance, I will provide each of them with free unlimited Internet access.