[Courses] [Security] Ssh-agent (was: Terri's Laptop netstat)
Raven, corporate courtesan
raven at oneeyedcrow.net
Fri Mar 8 16:31:12 EST 2002
Heya --
Quoth Amanda Babcock (Fri, Mar 08, 2002 at 08:48:35AM -0500):
> Typing the same private key over and over can be annoying, so ssh-agent is
> a good, secure way to store and serve the key. It can only be accessed from
> processes spawned from under ssh-agent, which is why one might run, for
> example, "ssh-agent startx" (because then anything in that x-session will
> have access to the ssh agent). You add the key by typing "ssh-add" from one
> of the child processes (such as an X window in an X session started from
> ssh-agent), and from then on any ssh connections you make using public key
> encryption from a child process of the ssh-agent can use that key.
>
> When you log out of X, that particular ssh-agent will terminate and your
> stored keys will be disposed of safely.
Exactly. It's probably automatically invoked for you by your
.xsession, .xinitrc, or some similar startup thingy. It's a great
program to use if you're doing automated backups or something using ssh
and public key authentication. You still have a password protecting
your key, but that password isn't stored in any easily thievable file on
the server, just in a chunk of memory. (Yes, you can grab that memory
and get the password anyhow, but that's a lot harder to do.)
The downside to this is that every time you reboot the computer
(or log out of X, if you used ssh-agent in the above way) someone will
have to manually enter in the key passphrases that you want ssh-agent to
be able to access. But considering how often most Unix servers get
rebooted (and how rarely many users log out of X), this isn't a huge
problem for most people. Still a time-saver.
I eventually want to have a discussion of all the cool things
you can do with ssh, too. Most people only use it for one thing, and
while it's a great secure telnet replacement, there are so many more cool
things you can do with it. Sometime after firewalls, I suspect.
Also (for those of you that like offline resources), the
O'Reilly ssh book "SSH: The Definitive Guide" with the snail on the
cover, is fabulous. I use it at least a few times a week, even after
having read it cover to cover. I often find myself reading tech books
and sputtering, "But... but... that's not how it really works! Oooh,
that's so misleading!". That didn't happen to me once when reading this
book. Every time I had a reservation, the next paragraph addressed
whatever it was. Psychic tech writers. [grin] It may just be that the
writers think like me, and that's why I love the book. But it's good
nonetheless.
Cheers,
Raven-ssh
"Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
order of nature."
-- me, after too long a day at work
More information about the Courses
mailing list