Getting technical with SSH

Ok, it’s time to start adding technical notes to my website before I forget how to do it. With everyone using SSH (Secure Shell) as a standard method of communicating between hosts, it’s always useful to bypass entering a password every time you want to login. Now, I still use CDE at work but I want to be able to SSH between hosts without entering a password.

Ok, let’s generate a public key with a keypass:

[andharr@sr1-egmp-01:~]$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/andharr/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/andharr/.ssh/id_rsa.
Your public key has been saved in /home/andharr/.ssh/
The key fingerprint is:
1b:73:fc:02:2f:9b:fe:c6:99:13:a3:23:e4:e1:9a:a1 andharr@sr1-egmp-01

Let’s register the passkey with ssh-agent:

[andharr@sr1-egmp-01:~]$ ssh-add
Enter passphrase for /home/andharr/.ssh/id_rsa:
Identity added: /home/andharr/.ssh/id_rsa (/home/andharr/.ssh/id_rsa)

[andharr@sr1-egmp-01:~]$ ssh-add -l
2048 1b:73:fc:02:2f:9b:fe:c6:99:13:a3:23:e4:e1:9a:a1 /home/andharr/.ssh/id_rsa (RSA)

Let’s copy our public key into the authorized_keys file (in my home .ssh directory)

[andharr@sr1-egmp-01:~]$ cat /home/andharr/.ssh/ >> /home/andharr/.ssh/authorized_keys

[andharr@sr1-egmp-01:~]$ chmod 600 /home/andharr/.ssh/authorized_keys

and make sure it’s got the right file permissions

In .dtprofile we need to make sure that dtsession starts with ssh-agent running so all subsequent sessions have ssh-agent invoked

### Errors in .dtprofile or .profile (.login) may prevent a successful
### login. If so, log in via the Fail-safe session and correct the error.
#if [ “$SSH_AUTH_SOCK” = “” -a -x /usr/bin/ssh-agent ]; then
# eval `/usr/bin/ssh-agent`

if [ -f $HOME/.ssh/id_rsa -a -x /usr/bin/ssh-agent ]; then
dtstart_session[0]=”/usr/bin/ssh-agent /usr/dt/bin/dtsession”

### We could always start up gnome or even enlightenment using this method (if we were unable to modify the servers window manager choices)
#dtstart_session[0]=”/usr/bin/ssh-agent /usr/bin/gnome-session”
#dtstart_session[0]=”/usr/bin/ssh-agent /home/andharr/e17/bin/englightentment”

Now, we should be able to add the following to $HOME/.dt/sessions/sessionetc

# Let’s fire up a window to enter my keypass
if [ -f /usr/bin/ssh-add ]; then
/usr/bin/ssh-add < /dev/null & fi

However due to changes in Solaris 9 to Solaris 10 we then hit bug 6192335 – “askpass client for ssh-add missing” so we have to workaround by using our own ssh-askpass which I’ve nabbed from here.

So we’ll have to amend sessionetc

# Let’s fire up a window to enter my keypass
if [ -f /usr/bin/ssh-add ]; then
export SSH_ASKPASS=”/home/andharr/bin/x11-ssh-askpass”
/usr/bin/ssh-add < /dev/null & fi

We also need to add the following to $HOME/.dt/sessions/sessionexit

if [ “$SSH_AGENT_PID” != “” -a -x /usr/bin/ssh-agent ]; then
/usr/bin/ssh-agent -k

So at least when I log into my CDE session I’ll be prompted for my passkey which will get registered with ssh-agent and allow me to ssh to any system (which uses my home directory on the same nameservice).

Useful links