Tags

, , ,

SSH is an encryption tool that allows you to connect to machines using an authenticated and encrypted connection. With an SSH agent, your authentication (and keys) can be “carried” from one system to the next. You load all of your keys on your local system into the agent, then connect to a remote system with the agent. Even though none of your keys are present on the remote system, they all exist and can be used to authenticate to another system.

This capability that the SSH agent gives you is very useful: you can keep all of your keys on a laptop or other personal system and only keep public keys on remote systems.

Running the agent is as simple as:

eval ssh-agent

This will load all keys that the agent can find (keys in your .ssh directory). You can add specific keys with:

ssh-add mykey

Replace mykey with your specific key name. If there is a password on the key, you only have to enter it once – at the very beginning.

Once the agent is configured, you can connect to a remote system with:

ssh -A host

The -A option tells SSH to use “Agent Forwarding” which is what allows us to take our keys “with” us from one host to the next.

Here is the really nice part: once you’ve connected to the place where your GNU screen sessions are located, copy the value of the SSH_AUTH_SOCK variable:

# set | grep SSH
SSH_AUTH_SOCK=/tmp/ssh-ttQal19039/agent.19039
SSH_CLIENT='192.168.6.181 42243 22'
SSH_CONNECTION='192.168.6.181 42243 192.168.6.161 22'
SSH_TTY=/dev/pts/1

Take the value of SSH_AUTH_SOCK and input it into GNU screen:

:setenv SSH_AUTH_SOCK /tmp/ssh-ttQal19039/agent.19039

After this command is executed, start new sessions to your remote hosts. For the local host, it may be easiest just to restart the session – but you could also just set the variable SSH_AUTH_SOCK in your shell – such as this command for the Korn shell:

export SSH_AUTH_SOCK=/tmp/ssh-ttQal19039/agent.19039

To verify that the agent now works, use the command

ssh-add -l

. You should see all of your keys; if instead you see

Could not open a connection to your authentication agent.

then you should check the setting of SSH_AUTH_SOCK.

With SSH agents, agent forwarding, and GNU screen, you will find your authentication difficulties eased considerably.

UPDATE: Added information about not always having to restart screen sessions.