SSH
SSH (Secure Shell) agent is a program that assists with SSH key management. In the context of SSH authentication, an SSH agent saves your private keys and communicates with SSH clients to perform authentication without requiring you to manually enter your passphrase each time.
Here's a more detailed explanation:
What is SSH?
SSH is a protocol used to securely log into remote systems across insecure networks. It encrypts the connection between the SSH client (the user's machine) and the SSH server (the remote host). SSH uses public-key cryptography for both authentication and establishing a secure connection.
SSH Authentication Process
- Key Generation: You generate a pair of cryptographic keys, a public key and a private key.
- Key Deployment: You copy your public key to the remote host's authorized keys list while keeping the private key secure on your local machine.
- Authentication: When logging in, the SSH server verifies that you possess the corresponding private key by offering a challenge that can only be correctly responded to by someone with the private key.
SSH Agent
The problem with the above process is that if your private key is encrypted with a passphrase (which it should be for security), you must enter this passphrase every time you use the key. This can become tedious if you frequently SSH into servers. Enter SSH agent, a key manager that:
- Holds private keys in memory, decrypted, for the duration of an active user session.
- Handles authentication requests from SSH clients using the loaded keys.
- Eliminates the need to repeatedly enter passphrases during a session.
When you start a session, you can add your private keys to the agent by executing ssh-add. If your keys are passphrase-protected, you will need to enter the passphrase once.
$ ssh-add ~/.ssh/id_rsa
SSH clients are configured to communicate with the agent and use it for authentication when connecting to a remote server.
SSH Agent Forwarding
SSH agent can also handle SSH agent forwarding, which allows you to connect from the server you're logged into to another server, without having your keys on the intermediate server. This is useful but also poses a security risk if not used carefully.
- Security Implication: You should be cautious with agent forwarding because if a server you're using is compromised, an attacker might use your ssh-agent to authenticate to other servers.
- Life Span: By default, the ssh-agent doesn't persist across system reboots. Keys need to be re-added after a reboot.
SSH agent is often started automatically by the system or during the login session for the desktop environment, but it can be manually started as well with the ssh-agent command.
$ eval $(ssh-agent -s)
Examples
Generate key for gitHub
Generating a new SSH key pair Following best practices, you should always favor ED25519 SSH keys, since they are more secure and have better performance over the other types.
git config --global user.name "Your Username"
git config --global user.email "Your Email"
cd ~/.ssh
# Check if any keys exsist?
#這樣在~/.ssh就會產生id_ed25519和id_rsa.pub,id_ed25519.pub就是公開的sshkey
ssh-keygen -t ed25519 -C "email@example.com"
#Generating public/private rsa key pair.
#Enter file in which to save the key (/Users/QbsuranAlang/.ssh/id_ed25519): (直接return / 比個名尼條key)
#Enter passphrase (empty for no passphrase): (直接return)
#Enter same passphrase again: (直接return)
Adding ssh keys for single sign-on
# Copy your public SSH key to the clipboard
xclip -sel clip < ~/.ssh/id_ed25519.pub
# Go to the host server and edit their authorized_keys
vi ~/.ssh/authorized_keys
# ========== If you have mutiple ssh keys in ~/.ssh ===================
# Add your SSH private key to the ssh-agent.
ssh-add ~/.ssh/id_ed25519
ssh-add adds private key identities (from your ~/.ssh directory) to the authentication agent (ssh-agent), so that the ssh agent can take care of the authentication for you, and you don’t have type in passwords at the terminal.