For When You Can't Have The Real Thing
[ start | index | login ]
start > CentOS > 7 > Auto SSH Agent

Auto SSH Agent

Created by dave. Last edited by dave, 12 days ago. Viewed 32 times. #4
[diff] [history] [edit] [rdf]
labels
attachments
(2019-09-04)

Notes that probably won't make any sense to anyone other than myself. This is borderline incoherent and probably mostly wrong

~/bin/agent, everywhere:

#!/bin/bash
HOST=`hostname`
AGENT="ssh-agent -s"
if [ ! -d $HOME/.ssh/agent ]; then
        mkdir -p $HOME/.ssh/agent
fi
pid=`ps -u$LOGNAME | grep ssh-age | awk '{print $1}'`
if [ -z "$pid" ]; then
        $AGENT | grep -v echo > $HOME/.ssh/agent/$HOST & pid=$!
        sleep 1 # Let it fork and stuff
fi

On The Keyhost

in .profile or .bash_profile:

~/bin/agent
. ~/.ssh/agent/`uname -n`

On The Targets

In .profile or .bash_profile:

# Mark for .bashrc children that we've entered this at least once
export DOTPROFILE=1

# Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi

# Point to the active agent forward socket ~/bin/agent . ~/.ssh/agent/`uname -n`

# if the environment has SSH_AGENT stuff defined, create a symbolic link in ~/.ssh/agent pointing at it if [ -S "$SSH_AUTH_SOCK" ] && [ ! -h "$SSH_AUTH_SOCK" ]; then ln -sf "$SSH_AUTH_SOCK" ~/.ssh/agent/$(hostname)_ssh_auth_sock fi

# change the SSH_AUTH_SOCK to point at the symbolic link export SSH_AUTH_SOCK=~/.ssh/agent/$(hostname)_ssh_auth_sock

In .bashrc:

# Do This First
# Check for local .bash_profile execution
if [ -z "$DOTPROFILE" ]; then
  . ~/.bash_profile
fi

Use

  • log into keyhost, ssh-agent starts
  • use ssh-add to install your key into the running agent
  • ssh as desired
  • when you disconnect, any forwarded agent sockets become useless (while you are disconnected)
  • when you return, ssh back in to the target, all agent forwarders on that host become active again

Overview, kinda

  • user logs onto the keyhost
  • ssh-agent is launched on keyhost
  • user uses ssh-add to add key to local host
  • user ssh with agent forward to target
  • if a forwarded agent socket is present and is not a symbolic link, create a host-specific symbolic link pointing at this instance-specific agent port
  • change the SSH_AGENT to point to the host-specific symbolic link
  • .bash_profile sets a flag so that .bashrc knows that .bash_profile has run at least once (ie: an agent forward is available)
  • .bashrc checks to see if the .bash_profile flag is set
  • if it isn't, .bash_profile is run once (to start the agent if valid)
Now there's an agent forward on the target located at a host-specific location, so any children of a shell pointing there will always point at the current, valid agent socket.

If the keyhost goes away (ie: a laptop) then all the agent forwards connect back to nothing, so the key isn't valid. As a side effect, if someone runs this process on the target without a valid key, a ssh-agent is left running on it, which is never used.

If the keyhost returns, logging into the target forces .bash_profile to repoint the host-specific symbolic link to the now-updated agent socket, and all environments will again have access to the forwarded agent.

Credit

I started with >>this Superuser.com question.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt