2

I'm pretty confused about how ssh really works, and I have already asked a couple of questions related to this, but I suspect I'm going in the XY-problem trap.

So, what I want is this. I want to be able to login to a couple of servers from a client via ssh to runt tests on them. It should be done in a way so that I will first login with user and password, fetch a keyfile, logout and then login again using the keyfile. I should be able to use the same keyfile to login to all servers. It is paramount that I do it this way, because I am NOT allowed to save the keyfile on the client. Not even as a temporary file, so I have to save it in ram somehow. But that's a later (and already solved) problem.

So how should I set this up? Where and how do I generate the keys? How do I distribute them to the other servers? The servers are running CentOS 7. I guess I should download the private key and not public. Is that correct? High security is a concern.

klutt
  • 167
  • 1
  • 8

1 Answers1

3

On your workstation:

Start the ssh-agent on your workstation if it is not running already.

Check with ssh-add -L ; the error message Could not open a connection to your authentication agent. means that you need to start the agent: 

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-yE5gDiNI3IqX/agent.13754; export SSH_AUTH_SOCK;
SSH_AGENT_PID=13755; export SSH_AGENT_PID;
echo Agent pid 13755;

And follow the printed instructions and set up your environment:

$ SSH_AUTH_SOCK=/tmp/ssh-yE5gDiNI3IqX/agent.13754; export SSH_AUTH_SOCK;
$ SSH_AGENT_PID=13755; export SSH_AGENT_PID;
$ echo Agent pid 13755;
Agent pid 13755

SSH, with agent forwarding enabled, and log in with your password to the host that (will) contain the (hopefully password protected) private key: 

$ ssh -A host.example.com
user@host.example.com's password:

On the first server

Only once: You need to generate a the new keypair; see https://security.stackexchange.com/q/143442/77995 

[user@host.example.com ~] $ ssh-keygen ***+options***

Only once (for every server and account): You need to copy the public_key of that new keypair from this server and append it to the ~/.ssh/authorized_keys file on the servers you want to access. You can use the ssh-copy-id helper program to do that for you:: 

 [user@host.example.com ~] $ ssh-copy-id localhost

And repeat for every other server, for all accounts that you will want to log in with using that key (if those servers still support password based logins, otherwise you will need to copy the public key in another fashion): 

 [user@host.example.com ~] $ ssh-copy-id other-user@other-host.example.com

Every time you restart your workstation and the ssh-agent is restarted: add that identity to your keyring

[user@host.example.com ~] $ ssh-add .ssh/id_rsa    # or wherever the private key is stored
Identity added: .ssh/id_rsa (rsa-key-xxx)

and logout: 

[user@host.example.com ~]  $ logout

Afterwards:

And when you next login ssh from your workstation will use the key stored in the agent for key-based authentication and you won't see a password prompt:

 $ ssh host.example.com
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • 1
    Normally you can just run the `ssh-agent` as an evaluated command: `$ $(ssh-agent)`. The output of the command will be executed, as commands, which this answer says to do in the next step. – bgStack15 May 02 '19 at 17:48