Detailed explanation of SSH service (III) -- Using SSH agent
- The SSH server runs on ubuntu 18.04.1
- SSH client in Windows10
Commands used in the previous section
ssh -i .\id_rsa tyustli@192.168.10.18
You can use SSH to remotely connect to the ssh server, but you need to specify the secret key every time. This section combs the knowledge related to SSH agent. After having SSH agent, you don't need to manually enter the secret key every time
SSH proxy usage steps
- Start SSH agent
- Add the corresponding private key to the ssh agent. When adding the private key, if you are prompted to enter the password of the private key, enter the correct password of the private key to add the private key to the ssh agent
- Connect to remote users
- Private key management
Introduction to SSH agent
ssh agent is a program that can help us manage private keys. ssh agent is ssh agent
So when do we need an ssh proxy to help us manage the private key? When we encounter the following situations, we will need an ssh proxy.
-
When connecting to different hosts with different keys, we need to manually specify the corresponding key every time. ssh agent can help us select the corresponding key for authentication without manually specifying the key
-
When the private key sets the password and we need to use the private key frequently for authentication, ssh proxy can help us avoid the repeated operation of entering the password
Start SSH agent
Start powershell as administrator and enter the following command in powershell
ssh-agent
If the startup fails, an error will be reported, such as an error
unable to start ssh-agent service, error :1058
Set SSH agent to start automatically
Set-Service -Name ssh-agent -StartupType Automatic
The StartupType type can take the following parameters
-
Automatic 2
Indicates that the service will be (or has been) started by the operating system at system startup. If an automatically started service depends on a manually started service, the manually started service will also be automatically started when the system is started. -
Boot 0
Indicates that the service is a device driver started by the system loader. This value is valid only for device drivers. -
Disabled 4
Indicates that the service is disabled and cannot be enabled by a user or application. -
Manual 3
Indicates that the service is started manually only by the user (using the service control manager) or the application. -
System 1
Indicates that the service is a device driver started by the IOInitSystem function. This value is valid only for device drivers.
The above command sets the SSH agent to start automatically. Enter the SSH agent command in the powershell command line again to start the SSH agent
View SSH agent after startup
ps
After the command is executed, the results are as follows
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- ... 80 7 1388 5688 0.02 26776 0 ssh-agent 609 32 31456 72296 6.03 6916 1 StartMenuExperienceHost ..
If you want to close the SSH agent, use the command
kill 26776 // kill pid
Close SSH agent when asked
confirm Are you sure you want to perform the following actions Stop-Process operation: ssh-agent(26776)? [Y] yes (Y) [A] All (A) [N] no (N) [L] All no (L) [S] suspend (S) [?] help (The default value is“ Y"): Y
Enter Y
Add SSH private key
Add the private key and give it to the SSH agent for management
ssh-add .\id_rsa
Errors will be reported during addition
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions for '.\\id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored.
It is suggested that adding the private key file failed because too many users can access the private key and the private key is ignored. Therefore, you need to modify the permissions of the private key file
You can use the chmod command in Linux, but Windows does not have this command
In windows, the corresponding command is icacls
For specific icacls/cacls command parameters, please refer to the relevant help documents (powershell can view the command help by directly entering the command)
Give system users read permission
icacls .\id_rsa /c /t /grant system:R
Disable inheritance
icacls .\id_rsa /c /t /inheritance:r
Give the current user read permission
icacls .\id_rsa /c /t /grant tyustli:R # tyustli is the current user name
The above commands will have the following command execution results
Processed files: .\id_rsa 1 file processed successfully; Failed to process 0 files
Another mistake is
invalid format
This is because the processing of line breaking is different between Linux and windows systems. Line breaking in liux \ n but line breaking in windows is \ r\n
Enter again after the file permissions are modified
ssh-add .\id_rsa
Prompt SSH private key added successfully
Identity added: .\id_rsa (.\id_rsa)
Remote connection
After the private key is added to the SSH agent, you can connect directly
ssh tyustli@192.168.10.18
At this time, you do not need to specify the private key or enter the login password to connect directly (if the private key has a password, you need to enter the password of the private key)
Exit connection
exit
Private key management
View commands related to private key management
ssh-add --help
-l List fingerprints of all identities. -E hash Specify hash algorithm used for fingerprints. -L List public key parameters of all identities. -k Load only keys and not certificates. -c Require confirmation to sign using identities -t life Set lifetime (in seconds) when adding identities. -d Delete identity. -D Delete all identities. -x Lock agent. -X Unlock agent. -s pkcs11 Add keys from PKCS#11 provider. -e pkcs11 Remove keys provided by PKCS#11 provider. -q Be quiet after a successful operation.