Having the ssh key protected by a passphrase is great, in case of theft the attacker will have to overcome a second obstacle, but it is also very cumbersome to have to enter the passphrase every time we want to connect to a server. For this we have ssh-agent that will ask us for the password once and cache it. This way we will have the key protected and our work as sysadmin will remain just as agile.
To start ssh-agent at X startup, it is as simple as entering an eval ssh-agent and an ssh-add before starting the window manager. Depending on the Unix system we use, we will have to do it in one way or another.
FreeBSD:
vi .xinitrc
setxkbmap es
xrdb .Xresources
xbindkeys &
shutter --min_at_startup &
killall ssh-agent
export SSH_ASKPASS=/usr/local/bin/x11-ssh-askpass ;export SSH_ASKPASS
eval `ssh-agent -s`
ssh-add &
exec ck-launch-session dbus-launch --sh-syntax --exit-with-session awesome
Linux:
vi .xinitrc
setxkbmap es
xrdb /home/kr0m/.Xresources
eval `/usr/bin/ssh-agent`
/usr/bin/ssh-add < /dev/null
exec dbus-launch --sh-syntax --exit-with-session awesome
Shell configuration:
A shell configuration is required as shown bellow:
#
# ssh-agent configuration
#
if [ ! -z "$(pgrep ssh-agent)" ]; then
export SSH_AGENT_PID=$(pgrep ssh-agent)
export SSH_AUTH_SOCK=$(find /tmp/ssh-* -name agent.*)
fi
Arranque desde un greeter:
If we start X system from a greeter as GDM for instance, we should start sshagent from the windowm manager, Awesome in my case:
vi .config/awesome/rc.lua
awful.spawn.with_shell("~/.scripts/ssh-init.sh")
vi ~/.scripts/ssh-init.sh
#!/usr/bin/env bash
if [ -z "$SSH_AUTH_SOCK" ]; then
eval $(ssh-agent -s)
fi
export DISPLAY=:0
export SSH_ASKPASS=ssh-askpass
ssh-add ~/.ssh/id_rsa < /dev/null
Manual method:
If for some reason we kill the ssh-agent and do not want to restart the X, we can start it manually:
ssh-add