manage_ssh_agent - an easier way to start and stop ssh-agent
ssh-agent allows commands to be executed on remote Linux/UNIX hosts
without typing passwords or passphrases every time.
ssh must be configured on all the machines and ssh-agent on at least one.
start-ssh-agent and stop-ssh-agent are trivial wrapper scripts to make
managing ssh-agent a bit easier:
- start-ssh-agent - The script that sets up ssh-agent and the environment.
- stop-ssh-agent - The script that stops ssh-agent and cleans up the environment.
Download these
shell_scripts from the github repository.
Generate a public/private key pair
This is a preparation step: do this
once on the "initiating" host - where multx will be launched.
Note: the example below assumes that the .ssh directory does not already exist, and that ED25519 public keys are used.
$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/tux/.ssh/id_ed25519): Type "Enter" here to accept the default.
Enter passphrase (empty for no passphrase): Type a long and complicated passphrase here.
Enter same passphrase again: And again here.
Your identification has been saved in /home/tux/.ssh/id_ed25519.
Your public key has been saved in /home/tux/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:3ki/gMMgDtU9P3dxuUntTKpgmsF96nWq2TM6RdFqrsc tux@iceberg
The key's randomart image is:
+--[ED25519 256]--+
| . |
| . . . .o |
| . . o .o+ o|
| . + . ++ B |
|. . . S =+o + o|
| o . o + @ =o. |
| . + * ++o . |
| . oo=Eo |
| *=oo |
+----[SHA256]-----+
$ ls -l ~/.ssh
total 8
4 -rw-------. 1 tux tux 314 Feb 13 14:56 id_ed25519
4 -rw-r--r--. 1 tux tux 172 Feb 13 14:56 id_ed25519.pub
Enable Public Key Authentication on the Target Hosts
This is another preparation step: do this
once on each target host.
Enable public key authentication (for the above generated key pair) on all the "target"
hosts - where the commands will run. Note: this may well (and usually does) include the
"initiating" host as well. (That is, calling ssh to itself.)
On all "target" hosts, ensure ~/.ssh exists with the correct owner, group and permissions:
$ mkdir ~/.ssh # user and group should be correct, chown if required
$ chmod 700 ~/.ssh
$ ls -ld ~/.ssh
drwx------. 2 tux tux 4096 Feb 13 15:13 /home/tux/.ssh/
Copy the "initiating" host's public key file ~/.ssh/id_ed25519.pub from the "initiating" host to
the authorized_keys file on all of the "target" hosts:
$ scp ~/.ssh/id_ed25519.pub target_1:.ssh/authorized_keys
$ scp ~/.ssh/id_ed25519.pub target_2:.ssh/authorized_keys
...
$ scp ~/.ssh/id_ed25519.pub target_N:.ssh/authorized_keys
Note: the above commands will prompt for the passphrase, but once authorized_keys is in place (and ssh-agent is
running with a correct passphrase, etc.), entering passphrase(s) interactively will no longer be required.
multx could be used here to avoid having to type the
same command N times, but - at this point - the passphrase must be entered for every target host.
Allow other Host(s) to be Initiators
This is another preparation step: do this
once for each target host.
Copy the "initiating" host's public and private key files (~/.ssh/id_ed25519.pub and ~/.ssh/id_ed25519)
from the "initiating" host to the .ssh directory on all of the "target" hosts:
$ scp ~/.ssh/id_ed25519* target_1:.ssh
$ scp ~/.ssh/id_ed25519* target_2:.ssh
...
$ scp ~/.ssh/id_ed25519* target_N:.ssh
multx could be used here to avoid having to type the
same command N times, and if all the above steps have been performed correctly, passphrases are no longer required!
Starting ssh-agent with start-ssh-agent
$ . start-ssh-agent # Note: "dot" this script to configure this shell's environment
ssh-agent for tux not running: starting
==================== ==================== ====================
PASSPHRASE PASSPHRASE PASSPHRASE PASSPHRASE PASSPHRASE
==================== ==================== ====================
Enter passphrase for /home/tux/.ssh/id_ed25519: Type the same passphrase as above here.
Identity added: /home/tux/.ssh/id_ed25519 (tux@iceberg)
SSH_AUTH_SOCK=/tmp/ssh-9ZtlUMecHR0y/agent.3938; export SSH_AUTH_SOCK;
SSH_AGENT_PID=3940; export SSH_AGENT_PID;
If ssh-agent should normally always be running, lines like these can be added to .bashrc or .profile (as
appropriate) so the user will be prompted to start ssh-agent upon first login whenver it's not running.
STARTSSHAGENTFILE=/usr/local/bin/start-ssh-agent
if [ -r $STARTSSHAGENTFILE ]; then
. $STARTSSHAGENTFILE
fi
Stopping ssh-agent with stop-ssh-agent
$ . stop-ssh-agent # Note: "dot" this script to re/unconfigure this shell's environment
tux 4053 1 0 15:13 ? 00:00:00 ssh-agent
Killing ssh-agent PID(s) 4053 for tux
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 4053 killed;