The ssh-agent program is an authentication agent that handles passwords for SSH private keys. Use ssh-add to add the keys to the list maintained by ssh-agent. After you add a private key password to ssh-agent, you do not need to enter it each time you connect to a remote host with your public key.
Enter your user account password for that SSH server when prompted. You can now authenticate to your server with the key pair, but at the moment you would need to enter the passphrase every time you connect. (Optional) Set up SSH Agent to store the keys to avoid having to re-enter passphrase at every login. You can try adding this: eval $(ssh-agent -s) ssh-add /.ssh/idrsa This way the ssh-agent does not start a new shell, it just launches itself in the background and spits out the shell commands to set the appropriate environment variables. As said in the comment, maybe you do not want to run the agent at all on the remote host, but rather on the box you are working from, and use. If -z '$SSHAUTHSOCK' ; then eval `ssh-agent -s` ssh-add fi. Now the passphrase must be entered upon every login. While slightly better from a usability perspective, this has the drawback that ssh-agent prompts for the passphrase regardless of if the key is to be used or not during the login session.
Generating authentication key pairs
Use the ssh-keygen command to generate authentication key pairs as described below. Provide a passphrase, for example “password”, when creating the key pairs.
Copy the Public key to remote host
1. Copy the public key to ~/.ssh/authorized_keys on the remote system.
2. Now try logging into the machine, with “ssh ‘root@192.168.12.10′”, and check in the .ssh/authorized_keys file to make sure we haven’t added extra keys that you weren’t expecting.
Add private key password to ssh-agent
1. To add the private key password to ssh-agent, enter the following command:
2. The next step is to use the ssh-add command to add the key.
3. The “ssh-add -l” command lists fingerprints of all identities currently represented by the agent.
4. You can try loggin in to the remote system without password now.
In this example, the passphrase is remembered for only the current login session and is forgotten when you log out.
I run the dev channel of ChromeOS. This crashes occasionally. While my chrometabs are generally recovered, it also resets the crostini containers. Everytime this happens, I’ve to launch 1Password (the android app), unlock it,search for my SSH key, copy the password and finally paste it in the terminal.This was starting to get old.
A couple of days ago I spent about an hour short circuiting this. I’ve setthings up so that ssh-agent directly asks for my 1Password master password,uses it to unlock the vault, grab the SSH key password and add the identity tossh-agent! Read on to know how it works!
I want to call out that this kind of tinkering is only possiblebecause unix tools are customizable and 1Password publishes the full details ofits opvault file format. Keep supporting these kind of companies!
Ssh Agent Password Change
We need a couple of things for this setup to work.
- Some way to convince ssh-agent to use this mechanism instead of the defaultpassword prompt.
- Some way to get the SSH key password from 1Password, given the masterpassword.
Customizing ssh-add
While part 2 is the slightly harder part, it is worth spending a few minutesfiguring out if 1 is even possible. I certainly am not feeling up to actuallyhacking on the SSH code. So let’s look at the ssh-add man page:
OK, seems like this is possible. It isn’t clear yet how the entered password isread from ssh-askpass. Moremansplaining:
Very unix-y. The program just needs to write the password to stdout. OK. Let’scome back to this once we have a script doing exactly that.
Extracting passwords from 1Password
The opvault file format is open and well documented. Thismeans we don’t have to figure out some complicated IPC schemes orreverse-engineering. There are already libraries out there that support parsingthese files. While writing one in Rust would be the cool thing to do, I’mtrying not to fall too deep in the XKCD trap. I picked theopvault python package. I did a quick read of the code to make sure thiswasn’t secretly uploading all my passwords to the Internet. I also usedvirtualenv and some extra customizations to not pollute my system python, butI’m going to elide that. The code presented here assumes your system python hasopvault installed. Remember, the script also needs to be executable.
This is a fairly simple script. It hard-codes the location to my vault and thetitle under which my key is stored in 1Password (one less thing to worry aboutpassing around on the command line). It uses the getpass module to retrievemy password in the unix-style, without echoing it on screen. We load the vault,load all the items and retrieve the details. Then we print the SSH keypassword!
Plugging this into ssh-add
This may vary slightly based on how you’ve set up ssh-add to execute atstartup. I use zprezto, and I’ve the ssh module enabled. Ielected to put the customization in my .zshrc, right before initializingzprezto.
I’m not entirely happy with this, but it will do for now. First, it changesthese variables at the zprezto level, instead of just at the module level. Thismeans other modules and zsh setup can be influenced by this. However, puttingthese links right before loading ssh did not seem to work and I don’t careenough. Second, I’m not resetting the variables properly, they now end up asempty strings instead of being unset if they were not set before. Again, Idon’t care.
Ssh Agent No Password
That’s it! Use ssh-add -d to disassociate the existing identity, then start ashell to see if this works, as I did several times while figuring this out.
Ssh Agent Forwarding Password
A note on the vault storage.
Ssh Agent Password Manager
This deals only with local vaults. If you use the 1Password web service, I’d behappy to know how you would hook that up. If you use Dropbox to sync your1Password vaults, the easiest way to get this to work is by installing Dropboxon your linux machine and just syncing the files. I thought this was a lot ofresource use just to access this SSH key. In particular, the SSH key passwordis never going to change, so the syncing aspect is not very useful. Instead, Ijust downloaded a current version of the opvault file (which is actually adirectory). I also pruned the contents to leave only the profile and the bandwith the ssh key on-disk, as those are the only pieces required.