sexta-feira, abril 26, 2019

ssh-agent load only once with ssh-ident, ssh-add, ssh-keygen, eval `ssh-agent`



    Installation
    ============
    
    All you need to run ssh-ident is a standard installation of python >= 2.6,
    python > 3 is supported.
    
    If your system has wget and are impatient to use it, you can install
    ssh-ident with two simple commands:
    
       mkdir -p ~/bin; wget -O ~/bin/ssh goo.gl/MoJuKB; chmod 0755 ~/bin/ssh
    
       echo 'export PATH=~/bin:$PATH' >> ~/.bashrc
    
    Logout, login, and done. SSH should now invoke ssh-ident instead of the
    standard ssh.
Problem with ssh-agent. That can be solved with ssh-ident above!

Configuring all of this on your machine

So, let's summarize the steps:
  1. Generate a set of keys, with ssh-keygen.
  2. Install your keys on remote servers, with ssh-copy-id.
  3. Start an ssh-agent to use on your machine, with eval ssh-agent.
  4. ssh-add your key, type your password once.
  5. Profit! You can now ssh to any host that has your public key without having to enter a password, and use ssh -A to forward your agent.
Easy, isn't it? Where people generally have problems is on how and where to start the ssh-agent, and when and how to start ssh-add.
The long running advice has been to start ssh-agent from your .bashrc, and run ssh-add similarly.
In today's world, most distributions (including Debian and derivatives), just start an ssh-agent when you first login. So, you really don't have anything to do, except run ssh-add when you need your keys loaded, and be done with it.
Still many people have snippets to the extent of:
if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval `ssh-agent`
    ssh-add
fi
in their .bashrc, which basically says "is there an ssh-agent already running? no? start one, and add my keys".
This is still very annoying: for each console or each session you login into, you end up with a new ssh-agent. Worse: this agent will run foreverwith your private keys loaded! Even long after you logged out. Nothing and nobody will ever kill your agent.
So, your three lines of .bashrc snippet soon becomes 10 lines (to cache agents on disk), then it breaks the first time you use NFS or any other technology to share your home directory, and then... more lines to load only some keys, some magic in .bash_logout to kill your agent, and your 4 lines of simple .bashrc get out of control

Nenhum comentário: