unfolding disasters/ posts/ Secure Shell

If you want to get anything done on a remote host, you use SSH.

Password-less SSH

Since I use SSH a lot, I've gone through the minimal effort required to setup password-less SSH between the computers on which I have accounts. Note that you should only keep private keys on computers that you trust (i.e. computers where you are the only admin).

I don't end up typing these commands very often, so I've created a set of three simple scripts (ssh-key.sh, ssh-remote.sh, and ssh-prime.sh), since ssh-<TAB> is easier to remember than the commands themselves. With the scripts in your path, run:

$ ssh-key.sh

to generate a SSH private/public keypair. Then run:

$ ssh-remote.sh me@remote.edu

to configure your remote.edu account to allow passwordless logins from your new key. After each login, run:

$ ssh-prime.sh

and enter your passphrase to start the SSH agent, and tell your shell about the agent with:

$ . /tmp/$(whoami)/.ssh/.ssh-agent-info-$(hostname)

I usually prime the SSH agent right after I log in (before running screen or startx) to that new terminals come up knowing about the agent. You can also add something like:

SSH_INFO_FILE="/tmp/$(whoami)/.ssh/.ssh-agent-info-$(hostname)"
if [ -f "$SSH_INFO_FILE" ]; then
    . "$SSH_INFO_FILE"
fi

to your ~/.bashrc (or equivalent shell initialization file), after which spawning shells will automatically pick up SSH agent information.

Grabbing a ssh-agent by process ID

If you clobber your ssh-agent environment somehow (or you want to “borrow” another user's agent to show them the security risks of running an agent on a computer that they don't own), ssh-agent-grab.sh will show you how to setup your environment:

$ ps -ef ssh-agent
...
jdoe     11862     1  0 Nov18 ?        00:00:01 ssh-agent
...
$ ssh-agent-grab.sh 4580
export SSH_AUTH_SOCK=/tmp/ssh-oTZLe11861/agent.11861
export SSH_AGENT_PID=11862
$ export SSH_AUTH_SOCK=/tmp/ssh-oTZLe11861/agent.11861
$ export SSH_AGENT_PID=11862
$ ssh jdoe@elsewhere

mxconns

mxconns is a simple X monitor and proxy that I use to accept remote X connections when running MPE on my cluster. The mxconns post has more details if you're interested.

Credits

This sort of thing is the subject of innumerable websites, but due to the fluid nature of the web, they tend to disappear over time. Thanks to Ted Dustman (at the University of Utah in 2007) for his post (now missing). Still available related posts: