I know ssh-keygen it can create a public and private key inside ~/.ssh by default as id_rsa and id_rsa.pub
eg:
ssh-keygen
Later on we add the id_rsa.pub to the known_hosts of the server, so that we can do
ssh user#hostname.com
But I see we use ssh-add to pass private key so that we can login without the need of password
Eg:
ssh-add <(echo "$SSH_PRIVATE_KEY")
for this we need to start ssh-agent
eval $(ssh-agent -s)
and then
ssh user#hostname.com
Assuming there is already ~/.ssh/id_rsa. So here how does ssh know which private key it has to use
ssh, if it finds a value for SSH_AUTH_SOCK in the environment, will ask that agent for all private keys and try them one by one, unless you tell it which specific key to use via the -i command-line option or the IdentitiyFile configuration option.
The main benefit of ssh-agent is that it can hold unencrypted keys in memory, so that you only need to use the key's passphrase once, when it is added to the agent, rather than every time ssh tries to use the key.
(The other benefit is that if you have multiple ssh connections in a chain, you can keep the private keys in an agent on the first machine. The ssh client can forward the agent connection to the remote machine, where ssh clients can access the agent to use keys for the next step in the chain.)
Related
I have already copied an SSH key to a server with ssh-copy-id -i ~/.ssh/skynet_key.pub.
Now I am building the gitlab-ci pipeline and have generated an new SSH key pair on my computer. I saved the private key as a variable in my gitlab project account.
Now I want to upload the new public key to the server.
My question is can I do this again from my local computer with ssh-copy-id?
Because I already have an SSH key pair distributed on both systems.
Would there be any problems here?
If so, how can I transfer the public key to the server?
Manually add the pubKey to authorized_keys?
As mentioned here, you can use the -o option (passed to SSH) to specify an existing key, in order to copy your second key:
ssh-copy-id -i ~/.ssh/<your-new-id-to-install> \
-o 'IdentityFile ~/.ssh/<your-already-existing-id>' \
<servername>`
I'm using Yubikey 5 NFC and want to move my openssh key into it so that I can authenticate for ssh login via this Yubikey.
Maybe you will suggest to generate a new gpg keypair for Yubikey and use the gpg-agent instead of ssh-agent to authenticate. But I still want to move my current ssh private key into Yubikey because this way I don't have to edit authorized_keys everywhere.
I tried to do this following this article:
https://www.mvps.net/docs/how-to-add-your-existing-ssh-key-to-yubikey-via-openpgp/
which suggest to use pem2openpgp from monkeysphere to translate my ssh key into gpg key and somehow write this translated gpg key into Yubikey (via keytocard command of gpg).
But after all these done. I find that the fingerprint of my ssh key is changed, this is confirmed by following command:
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
$ ssh-add -l
And the fact that the fingerprint changed makes using my current ssh key meaningless -- I still need to edit authorized_keys everywhere to make the "new public key" work.
So is there any other way which can write my old ssh key into Yubikey and keep the old key's fingerprint?
I'm learning Ansible, in a setup document : http://docs.ansible.com/intro_getting_started.html
It says if I don't want to enter password every time, I can do :
$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
I did it, but how come I still have to enter password every time ?
Then it says "you may wish to use Ansible’s --private-key option", but I can't find any document on that. Whay's that for and how to do it ?
I'm not sure about Ansible, but I know a bit about how ssh keys work
When you generate a new SSH key with the ssh-keygen command (which by default goes to the ~/.ssh/id_rsa file), it asks you to put in a passphrase(password)
Whenever you use that key, it will ask you for that passphrase.
If you create a new key with
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/YOUR_USERNAME/.ssh/id_rsa_nopass
Enter passphrase (empty for no passphrase): [just press enter, don't type anything]
Enter same passphrase again: [just press enter again]
This will create both an id_rsa_nopass private key file, and an id_rsa_nopass.pub public key file in the directory you chose (/home/user/.ssh)
You should then be able to use the following command, assuming ansible is set up to use your ssh keys correctly
$ ssh-add ~/.ssh/id_rsa_nopass
NOTE: Using an ssh key without a passphrase can be dangerous, as anybody can access your device and connect without knowing your password. If you don't mind this, then a no-passphrase ssh key is a good way to avoid typing a password everyone
edit: Just looked into Ansible a bit, it's basic setup is just to run a command on an ssh server, right?
In which case, you may need to add your public key to whichever server you are connecting to, this can usually be done via the command
ssh-copy-id -i /path/to/your/public/key/file yourname#yourserver.com -p your_server's_ssh_port
For example, to authorize the id_rsa_nopass key from earlier to the account foobar on the server example.org, with ssh port 10022 you would do
ssh-copy-id -i ~/.ssh/id_rsa_nopass.pub foobar#example.org -p 10022
This will prompt you for the password to foobar#example.org, upon filling in the password it will authorize that public key to connect to that server, and since id_rsa_nopass has no passphrase, you should now be able to connect without any password prompt
I am trying to write a script that makes use of {ssh,gpg}-agents effortless (like keychain, but I discovered it too late). This script will be run in a sensitive environment, so I set a timeout in order to remove the keys from the agent after some time.
I managed to write the spawn/reuse part but now, I want ssh-add to be called automatically when the user is opening a ssh connection if the agent has no proper key.
Is there any way to make ssh-agent call ssh-add on failure or something better ?
What I am doing (assuming the key has a distinctive name)
I have a script in ~/bin/ (which is in my PATH)
!/bin/bash
if ! ssh-add -l | grep -q nameOfmyKey
then
ssh-add -t 2h ~/path-to-mykeys/nameOfmyKey.key
fi
ssh myuser#myserver.example.net
ssh -l lists all keys currently active in the agent.
The parameter -t ensures that the key is enabled for a restricted time only.
On Ubuntu 14.04 I have a private key in:
~/.ssh/id_rsa
I have installed the public key on the server I wish to connect to and indeed when I run the following, I do connect as expected:
ssh me#my-server-ip.com
I then deleted the private key on the client but running the above command still connects me. This leads me to believe that the SSH binary is running in some kind of daemon mode wherein it is caching the private key in memory? Is that correct? Short of a reboot, how do I 'flush' SSH to stop using the private key. Thanks
Run the following command after removing ~/.ssh/id_rsa
ssh-add -D
This commando removes all cached ssh identities from the ssh-agent.
If you type ssh me#my-server-ip.com now, the password prompt will show.
You can check with ssh-add -L what identities the ssh-agent has cached.
I know I'm a little late to this party, but for the enlightenment of others...
It sounds like you have your private SSH key (identity) cached in ssh-agent. Now it is worth noting that ssh-agent does not retain the key cache over a reboot or logout/login cycle, although some systems depending on configuration may add your key during either of those processes. However, in your instance, a reboot or possibly a logout/login cycle would remove the private key from the agent's cache. This is because you have already removed the ~/.ssh/id_rsa file and it therefore cannot be re-initialized into the agent.
For everyone else who may not have yet deleted their ~/.ssh/id_rsa file(s) or if you don't want to reboot or logout/in right now the following should prove useful.
First, you will want to remove any ~user/.ssh/id_rsa files which you wish to no longer be cached by ssh-agent.
Next, verify that there are, in fact, identities still being held open in 'ssh-agent' by running the following command:
ssh-add -L
This will list the public key parameters of all identities that the agent has actively cached. (Note: ssh-add -l will instead list the fingerprints of all keys/identities that are actively cached.) For each that you would like to remove you should run the following:
ssh-add -d /path/to/matching/public/key/file
If you just want to clear out ALL keys/identities from the agent then run this instead:
ssh-add -D
At this point, the key(s) desired to be removed will be no longer accessible to the agent and with the actual identity file removed, there shouldn't' be any way possible for an attempted remote SSH connection with that user to connect without using a different authorization method if configured/allowed.