Passphraseless login using keychain - SSH

This is a discussion on Passphraseless login using keychain - SSH ; I am trying to set up passwordless login to a number of servers using OpenSSH and Keychain. Server 1, humpty, is accessible to me over any internet connection. Server 2, dumpty, is not. If I want to get into dumpty ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Passphraseless login using keychain

  1. Passphraseless login using keychain

    I am trying to set up passwordless login to a number of servers using OpenSSH
    and Keychain. Server 1, humpty, is accessible to me over any internet
    connection. Server 2, dumpty, is not. If I want to get into dumpty I have to go
    via humpty.

    Heres what Ive done.

    1. Created an RSA key pair using ssh-keygen.
    2. Copied id_rsa.pub to ~/.ssh on both humpty and dumpty.
    3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.
    4. Installed keychain on each server.
    5. Added these lines to the .bash_profiles

    ~/keychain-2.6.1/keychain ~/.ssh/id_rsa
    [ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh

    and this line to the .bash_logouts

    ~/keychain-2.6.1/keychain --stop mine

    Have I done this right? If so Im straining to see the advantage ... I am forever
    entering my passphrase, which is of course longer than my password! Heres what
    happens in an admittedly contrived session (there are other servers that I want
    to use this on so thats why Im tying the connections in knots ... just to test
    it out).

    * PuTTY from home to humpty: PuTTY asks for passphrase, then humpty asks for it
    ** ssh into dumpty: dumpty asks for passphrase
    *** ssh back to humpty: no passphrase required (hurrah!)
    **** exit back to dumpty
    *** ssh back to humpty again: humpty asks for passphrase this time (what?!)
    **** exit back to dumpty
    *** exit back to humpty
    ** ssh into dumpty again: humpty asks for passphrase, then dumpty asks for it!
    *** exit
    ** exit
    * bang head and post to forum for help

    Seems a little strange to me.

    What does one have to do to achieve password/passphraseless login, or at least
    limit it to one passphrase per server?

    Thanks.

  2. Re: Passphraseless login using keychain

    Ellarco sez:
    ....
    > What does one have to do to achieve password/passphraseless login, or at least
    > limit it to one passphrase per server?


    1. Run ssh-agent and enable ForwardAgent, or
    2. do not protect keys with passphrase.

    Dima
    --
    The speed at which a mistyped command executes is directly proportional
    to the amount of damage done. -- Joe Zeff

  3. Re: Passphraseless login using keychain

    Ellarco writes:

    >I am trying to set up passwordless login to a number of servers using OpenSSH
    >and Keychain. Server 1, humpty, is accessible to me over any internet
    >connection. Server 2, dumpty, is not. If I want to get into dumpty I have to go
    >via humpty.


    >Heres what Ive done.


    >1. Created an RSA key pair using ssh-keygen.
    >2. Copied id_rsa.pub to ~/.ssh on both humpty and dumpty.
    >3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.


    Very bad idea. Just copy the key.

    As it is you will suddenly add another key into authorized_keys and screw
    up your rsa key.

    >4. Installed keychain on each server.
    >5. Added these lines to the .bash_profiles


    >~/keychain-2.6.1/keychain ~/.ssh/id_rsa
    >[ -f $HOME/.keychain/$HOSTNAME-sh ] && source $HOME/.keychain/$HOSTNAME-sh


    >and this line to the .bash_logouts


    >~/keychain-2.6.1/keychain --stop mine


    >Have I done this right? If so Im straining to see the advantage ... I am forever
    >entering my passphrase, which is of course longer than my password! Heres what
    >happens in an admittedly contrived session (there are other servers that I want
    >to use this on so thats why Im tying the connections in knots ... just to test
    >it out).


    >* PuTTY from home to humpty: PuTTY asks for passphrase, then humpty asks for it
    >** ssh into dumpty: dumpty asks for passphrase
    >*** ssh back to humpty: no passphrase required (hurrah!)
    >**** exit back to dumpty
    >*** ssh back to humpty again: humpty asks for passphrase this time (what?!)
    >**** exit back to dumpty
    >*** exit back to humpty
    >** ssh into dumpty again: humpty asks for passphrase, then dumpty asks for it!
    >*** exit
    >** exit
    >* bang head and post to forum for help


    >Seems a little strange to me.


    >What does one have to do to achieve password/passphraseless login, or at least
    >limit it to one passphrase per server?


    >Thanks.


  4. Re: Passphraseless login using keychain

    On 2006-01-08, Ellarco wrote:
    [...]
    > 3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.


    Don't do that. If you add to authorized_keys in the future you may have
    problems authenticating with the id_rsa key. Just copy it.

    Also, authorized_keys2 is deprecated so you should use authorized_keys
    instead.

    [...]
    > What does one have to do to achieve password/passphraseless login, or at least
    > limit it to one passphrase per server?


    For multi-hop connections (ie A -> B -> C) to use the agent you need to
    enable ForwardAgent, which defaults to "no". See ssh_config(5).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: Passphraseless login using keychain

    Ellarco wrote:
    > I am trying to set up passwordless login to a number of servers using OpenSSH
    > and Keychain. Server 1, humpty, is accessible to me over any internet
    > connection. Server 2, dumpty, is not. If I want to get into dumpty I have to go
    > via humpty.
    >
    > Heres what Ive done.
    >
    > 1. Created an RSA key pair using ssh-keygen.
    > 2. Copied id_rsa.pub to ~/.ssh on both humpty and dumpty.
    > 3. Created a symlink from ~/.ssh/authorized_keys2 to id_rsa.pub on each server.


    the instructions are to cat *.pub >> ~/.ssh/authorized_keys2


    --
    ---
    Jeff B (remove the No-Spam to reply)

  6. Re: Passphraseless login using keychain

    Okay. Thanks all. I will remove the symlink. But I still need help with
    ForwardAgent ... please.

  7. Re: Passphraseless login using keychain

    On 2006-01-10, Ellarco wrote:
    > Okay. Thanks all. I will remove the symlink. But I still need help with
    > ForwardAgent ... please.


    You just need to enable it in your ~/.ssh/config or ssh_config eg

    Host yourhost
    ForwardAgent yes

    The ssh_config(5) man page has the details.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  8. Re: Passphraseless login using keychain

    Hi, everyone.

    I'm trying to use ssh-agent and keychain to solve a synchronization problem between our production servers - S1, S2, and S3 - and our DR servers DR1-3.

    here is what I have so far:

    I started wiht server S3, used ssh-keygen to make my key pair, copied the public key over to DR1-3, started keychain on S3, entered the passphrase, and now S3 can connect to DR1-3 without a password as the user we need it to. Great, one down, two more to go...

    here's where things get tricky. So, I now want to set up S2 to be able to connect to DR1-3 the same way S3 does. Initially, my thought was, generate a new key pair on S2, copy the public key over to DR1-3, and start keychain on S2, and that would be it. Unfortunately, I still get prompted for my passphrase when I connect to any of the DR boxen.

    I even tried to simply copy the keys from S3 over to S2, tweak the hostname in them, and use them that way, and it still doesn't work... I KNOW that the solution to this issue has to be something simple I'm just missing... any help from this august forum would be greatly appreciated.

    thanks

    --
    DreadedAdmin -- BOFH in Training
    Evil Overlord Checklist:
    100 - Finally, to keep my subjects permanently locked in a mindless trance, I will provide each of them with free unlimited Internet access.

+ Reply to Thread