Entering a passphrase every time you connect would be painful, but this isn’t necessary if you have an agent which decrypts the private key and keeps it in memory.
Furthermore: using an agent, you can access across multiple ssh hops without having to copy your key or enter your passphrase anywhere.
Choose the version of the exercises depending on what OS you are running on your laptop.
Run pageant.exe
It runs in the background, and adds an icon to your task tray (a PC with a black hat at a jaunty angle). You may need to select “Show hidden icons” to see it.
Right-click on the icon, and select “Add Key”. Browse to your id_rsa.ppk and open it. You will be prompted for the passphrase - enter it. (If you make a mistake, you’ll be prompted again until you get it right)
Now run putty.exe again, enter your hostname, click Open, and enter your username (sysadm). You should be logged in immediately, with no prompt for either a password or a passphrase!
Try logging in again. Also try using psftp.exe (when it runs, enter “open 100.68.X.130” or “open srv1.campusX.ws.nsrc.org” to start a connection). No passphrase is needed until you tell Pageant to forget the private key, or you reboot.
If you enable “agent forwarding” when you login to host X, you can then login from X to Y without any prompting (assuming Y has your public key in authorized_keys). The request to authenticate is forwarded securely back along your original ssh session to the agent running on your workstation.
To do this exercise, we will use the classroom NOC server as a “jump host” to get into the campus srv1 (pretend that srv1 doesn’t allow direct access from the outside world)
Check that you can log in using ssh from your laptop to “noc.ws.nsrc.org” as the user “sysadm” (the password is the same). You can use password authentication here.
What happens when you are logged into the noc, and then at the noc command line you try to login to your campus srv1?
sysadm@noc:~$ ssh sysadm@100.68.X.130You shouldn’t be able to login if password authentication was disabled (and if you could login, it would have been with your password, not your private key).
Now disconnect from the noc. Start putty.exe again. Enter the hostname “noc.ws.nsrc.org” as before, but before clicking Open, browse in the left hand column to Connection > SSH > Auth
[-] Connection
|
[-] SSH
| |- Keyex
| |- Auth <--- CLICK HEREUnder the right hand side, check:
[X] Allow agent forwardingand continue to login as normal. At the noc prompt, try again to login to your campus srv1:
sysadm@noc:~$ ssh sysadm@100.68.X.130Was it any different this time? If you cannot login to srv1 this way using your private key, please speak to your instructors.
There are some putty screenshots for agent forwarding here
Putty allows you to save your settings for connecting to particular hosts, so that you don’t have to remember to apply this setting every time.
If you are running under a modern graphical environment like Gnome, you probably already got a dialog box prompting you for a passphrase, and this means you’re already running an agent. You should be able to logout and login to the remote server, without being prompted for your passphrase again.
To see what identities (decrypted private keys) your agent has in memory:
$ ssh-add -lTo forget all identities:
$ ssh-add -dIf you don’t have an agent, then you can start a new subshell with ssh-agent as its parent:
$ ssh-agent bash
$ ssh-add
... prompted for your passphrase
$ Now the agent will handle future connections for you.
If you are running an older graphical environment, and you normally start X using startx, then start it using ssh-agent startx instead. Then type ‘ssh-add’ in an xterm.
If you enable “agent forwarding” when you login to host X, you can then login from X to Y without any prompting (assuming Y has your public key in authorized_keys). The request to authenticate is forwarded securely back along your original ssh session to the agent running on your workstation.
To do this exercise, we will use the classroom NOC server as a “jump host” to get into the campus srv1 (pretend that srv1 doesn’t allow direct access from the outside world)
Check that you can log in using ssh from your laptop to “noc.ws.nsrc.org” as the user “sysadm” (the password is the same). You can use password authentication here.
What happens when you are logged into the noc, and then at the noc command line you try to login to your campus srv1?
laptop:~$ ssh sysadm@noc.ws.nsrc.org
...
sysadm@noc:~$and then at the noc command line you try to login to your campus srv1?
sysadm@noc:~$ ssh sysadm@100.68.X.130You shouldn’t be able to login if password authentication was disabled (and if you could login, it would have been with your password, not your private key).
Are you able to log in? You shouldn’t (unless you used your password).
Now disconnect from the noc, so you are back at your laptop’s command line prompt. Login to the noc again, this time with the -A flag:
laptop:~$ ssh -A sysadm@noc.ws.nsrc.org
...
sysadm@noc:~$ ssh sysadm@100.68.X.130Was it any different this time? If you cannot login to srv1 this way using your private key, please speak to your instructors.
If you do this frequently, it’s easier to configure it in ~/.ssh/hosts
host noc
hostname noc.ws.nsrc.org
user sysadm
ForwardAgent yesThen you only have to type ssh noc to get a connection with those options.
If you have spare time, you can try “port forwarding”. This will accept a TCP connection on a local port on your laptop, forward the connection along the encrypted SSH session, and then at the remote host open a new TCP connection to the chosen destination host and port.
$ ssh -L8080:srv1.campusX.ws.nsrc.org:80 sysadm@noc.ws.nsrc.orgThen while ssh connection is open, point your browser to http://localhost:8080/. The connection will be sent over the SSH connection to the NOC, and from there will open a new TCP connection to srv1.
The same feature is available within putty but requires clicking the correct buttons.
For Linux/BSD/macOS users, you can also forward X11 graphical windows (macOS will require XQuartz to be installed) with the -X flag.
$ ssh -X sysadm@noc.ws.nsrc.org
...
$ xclock # graphical output redirected back through ssh tunnel