1 Introduction

Entering a passphrase every time you connect would be painful, but this isn't necessary if you have an agent which decrypts the private key and keeps it in memory.

Furthermore: using an agent, you can access across multiple ssh hops without having to copy your key or enter your passphrase anywhere.

1.1 Notes

• Commands preceded with "$" imply that you should execute the command as a general user - not as root.
• Commands preceded with "#" imply that you should be working as root.
• Commands with more specific prompts (e.g. "hostX:~$") imply that you are executing commands on some other device.

Choose the version of the exercises depending on what OS you are running on your laptop.

2 For laptops running Windows and putty

2.1 Use a passphrase agent

Run pageant.exe

It runs in the background, and adds an icon to your task tray (a PC with a black hat at a jaunty angle). You may need to select "Show hidden icons" to see it.

Right-click on the icon, and select "Add Key". Browse to your id_rsa.ppk and open it. You will be prompted for the passphrase - enter it. (If you make a mistake, you'll be prompted again until you get it right)

Now run putty.exe again, enter your hostname, click Open, and enter your username (sysadm). You should be logged in immediately, with no prompt for either a password or a passphrase!

Try logging in again. Also try using psftp.exe (when it runs, enter "open hostN.ws.nsrc.org" to start a connection). No passphrase is needed until you tell Pageant to forget the private key, or you reboot.

2.2 Agent forwarding

If you enable "agent forwarding" when you login to host X, you can then login from X to Y without any prompting (assuming Y has your public key in authorized_keys). The request to authenticate is forwarded securely back along your original ssh session to the agent running on your workstation.

To do this exercise, you will need at least two hosts which you can already ssh into using your public key. Change hostX and hostY below to the real hostnames.

Check that you can log in from your laptop to hostX and from your laptop to hostY.

What happens if you first log in to hostX, and then at the hostX command line you type the following:

hostX:~$ ssh hostY

Are you able to log in? You shouldn't (unless you used your password).

Now disconnect from hostX. Start putty.exe again. Enter the hostname as usual, but before clicking Open, browse in the left hand column to Connection > SSH > Auth

    [-] Connection
         |
        [-] SSH
         |  |- Keyex
         |  |- Auth    <--- CLICK HERE

Under the right hand side, check:

               [X] Allow agent forwarding

and continue to login as normal. At the hostX prompt, try again to login to hostY:

hostX:~$ ssh hostY

Was it any different this time? If you cannot login to hostY this way, please speak to your instructors.

There are some putty screenshots for agent forwarding here

Putty allows you to save your settings for connecting to particular hosts, so that you don't have to remember to apply this setting every time.

3 For laptops running Linux (or BSD or OSX)

3.1 Use a passphrase agent

If you are running under a modern graphical environment like Gnome, you probably already got a dialog box prompting you for a passphrase, and this means you're already running an agent. You should be able to logout and login to the remote server, without being prompted for your passphrase again.

To see what identities (decrypted private keys) your agent has in memory:

$ ssh-add -l

To forget all identities:

$ ssh-add -d

If you don't have an agent, then you can start a new subshell with ssh-agent as its parent:

$ ssh-agent bash
$ ssh-add
 ... prompted for your passphrase
$ 

Now the agent will handle future connections for you.

If you are running an older graphical environment, and you normally start X using startx, then start it using ssh-agent startx instead. Then type 'ssh-add' in an xterm.

3.2 Agent forwarding

If you enable "agent forwarding" when you login to host X, you can then login from X to Y without any prompting (assuming Y has your public key in authorized_keys). The request to authenticate is forwarded securely back along your original ssh session to the agent running on your workstation.

To do this exercise, you will need at least two hosts which you can already ssh into using your public key. Change hostX and hostY below to the real hostnames.

Check that you can log in from your laptop to hostX and from your laptop to hostY.

What happens if you first log in to hostX:

laptop:~$ ssh sysadm@hostX
hostX:~ $

and then at the hostX command line you ssh to hostY:

hostX:~$ ssh hostY

Are you able to log in? You shouldn't (unless you used your password).

Now go back to your laptop and login again, this time with the -A flag

laptop:~$ ssh -A sysadm@hostX
hostX:~$ ssh hostY

Was it any different this time? If you cannot login to hostY this way, please speak to your instructors.

If you do this frequently, it's easier to configure it in ~/.ssh/hosts

host hostX
hostname hostX.ws.nsrc.org
user sysadm
ForwardAgent yes

Then you only have to type ssh hostX to get a connection with those options.

3.3 Port forwarding (optional)

If you have spare time, you can try "port forwarding". This will accept a TCP connection on a local port on your laptop, forward the connection along the encrypted SSH session, and then at the remote host open a new TCP connection to the chosen destination host and port.

$ ssh -L8080:some.where:80 user@remote.host
... while ssh connection is open, a connection to 127.0.0.1 port 8080
... will be tunneled, and the far end will open a connection to
... some.where port 80

$ ssh -X user@remote.host
...
$ xclock   # graphical output redirected back through ssh tunnel