[gentoo-user] ssh-agent & RSA

[gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

Hi all,

I'm running ssh-agent so I only have to type my passphrase once. At
least that was the plan. I'm trying to use an RSA key instead of DSA.
This does not seem to please ssh-agent. It seems to just look for
id_dsa and ignore the id_rsa.

(a) If I create a DSA key then it finds that and ignores the RSA key;
(b) if I delete the DSA key so that there is only an RSA key then
ssh-agent warns about the missing id_dsa and gives up;
(c) if I give the DSA an empty passphrase then ssh-agent is happy but
still ignores the RSA key.

I can't find anything in man ssh-add or man ssh-agent about this
behaviour. The man files says it looks for both files but so far I beg
to differ. :-) There don't seem to be any config files for ssh-agent?

Other things I've tried:

1. State "explicitely" in ssh-config to only use RSA:

Host *
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id_rsa
    Protocol 2

Ssh-agent is not impressed. (Not too surprising as this file applies
to ssh, not ssh-agent, but it was worth a try.)

2. ssh-add -D ; ssh-add ~/.ssh/id_rsa

This is completely ignored. Ssh-agent simply behaves as in a, b, and c
(and, for a and c, puts the DSA key right back in the list).

I'm out of ideas. :-( Could anyone offer a suggestion? Does anyone
have ssh-agent working with an RSA key?

Please note that using a DSA key works. In that case ssh-agent finds
the key, asks for a passphrase and from then on I can use the key
without typing the passphrase. So I believe that I have set things up
correctly. Also note that I can use the RSA key, it's just that I have
to type the passphrase every time.

Cheers,
Hilco

Re: [gentoo-user] ssh-agent & RSA

[Etaoin Shrdlu]

On Monday 11 May 2009, 07:18, Hilco Wijbenga wrote:

> 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa

3. mv ~/.ssh/id_rsa ~/.ssh/id_dsa

:)

Seriously, did you try running ssh-add without arguments? Acrroding to 
the man, "When run without arguments, it adds the files ~/.ssh/id_rsa, 
~/.ssh/id_dsa and ~/.ssh/identity".

It wors for me with an RSA key, anyway:

$ ls .ssh/
id_rsa       id_rsa.pub  known_hosts
$ eval $(ssh-agent)
Agent pid 22390
$ ssh-add .ssh/id_rsa
Identity added: .ssh/id_rsa (.ssh/id_rsa)

Did you try generating a new RSA key (just to see if it can be added)?

Re: [gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

2009/5/11 Etaoin Shrdlu <shrdlu@unlimitedmail.org>:
> On Monday 11 May 2009, 07:18, Hilco Wijbenga wrote:
>
>> 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa
>
> 3. mv ~/.ssh/id_rsa ~/.ssh/id_dsa

No, I had not tried that. :-) Exactly like that it doesn't work but if
I do a copy instead of a move then, yes, it works.

Ssh-agent finds the DSA key (still completely ignores the RSA key) in
both cases but SSH can't use it unless the RSA key is there so copying
"works". Somehow SSH is able to reuse the passphrase I typed for the
DSA key when the RSA key is used. Very strange.

> Seriously, did you try running ssh-add without arguments? Acrroding to
> the man, "When run without arguments, it adds the files ~/.ssh/id_rsa,
> ~/.ssh/id_dsa and ~/.ssh/identity".

:-) Yes, *that* I had tried ... many times. I had read the same which
lead me to believe this should work.

> It wors for me with an RSA key, anyway:
>
> $ ls .ssh/
> id_rsa       id_rsa.pub  known_hosts
> $ eval $(ssh-agent)
> Agent pid 22390
> $ ssh-add .ssh/id_rsa
> Identity added: .ssh/id_rsa (.ssh/id_rsa)

This works for me too but afterwards the key is completely ignored.
What happens if you do this and then restart the shell? Or better yet,
what happens if you logout completely and then log back in? For me,
the RSA key is completely ignored.

Does ssh-agent really ask you for a passphrase when starting a shell?
Or at least list the RSA key? For me it's only the DSA key that is
listed by ssh-agent (when it starts) and it's only for the DSA key
that ssh-agent asks for a passphrase. Note, that ssh-add -L still
lists the RSA key too!

> Did you try generating a new RSA key (just to see if it can be added)?

Yep, and no it doesn't make any difference. I even tried the default
bit length instead of -b 1536 that I normally use.

Re: [gentoo-user] ssh-agent & RSA

[Etaoin Shrdlu]

On Tuesday 12 May 2009, 06:35, Hilco Wijbenga wrote:

> This works for me too but afterwards the key is completely ignored.
> What happens if you do this and then restart the shell? Or better yet,
> what happens if you logout completely and then log back in? For me,
> the RSA key is completely ignored.

The way ssh-agent is designed is to NOT survive after the shell it was 
started from is closed. That's why you should invoke it during your very 
first login shell, so that the variables it sets are exported to all 
child programs and subshells. If you do graphical login, I believe 
there's an equivalent tool that lets you run the agent from the parent 
environment.

One way of doing that is to put its invocation in .bashrc, but then it 
will run a new copy each time a new login shell is started. So tools 
like keychain have been developed which run ssh-agent, ask for the 
password, and on subsequent invocations check if the agent is already 
running, and if so they don't ask for the password again.
There's a nice article on keychain here:

http://www.gentoo.org/proj/en/keychain/

> Does ssh-agent really ask you for a passphrase when starting a shell?

Not if you don't invoke it :)

> Or at least list the RSA key? For me it's only the DSA key that is
> listed by ssh-agent (when it starts) and it's only for the DSA key
> that ssh-agent asks for a passphrase. Note, that ssh-add -L still
> lists the RSA key too!

As far as I know, as soon as ssh-agent is started, it has no keys. It's 
your job (or keychain's) to add keys to ssh-agent's cache. But I'm not 
sure I understand what you're getting.

Re: [gentoo-user] ssh-agent & RSA

[Philipp Riegger]

On Sun, 2009-05-10 at 22:18 -0700, Hilco Wijbenga wrote:
> Hi all,
[...]

I would recommend you to try

[I] net-misc/keychain
     Available versions:  2.6.6 2.6.8
     Installed versions:  2.6.8(19:38:13 04/17/09)
     Homepage:            http://www.gentoo.org/proj/en/keychain/
     Description:         ssh-agent manager


Philipp

Re: [gentoo-user] ssh-agent & RSA

[Etaoin Shrdlu]

On Tuesday 12 May 2009, 11:17, Etaoin Shrdlu wrote:

> > Does ssh-agent really ask you for a passphrase when starting a
> > shell?
>
> Not if you don't invoke it :)

Sorry, that is a bit unclear. Ssh-agent will never ask for a password. 
It's ssh-add that does (if you run it after the agent), assuming the key 
you're adding is password-protected.

Re: [gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

2009/5/12 Etaoin Shrdlu <shrdlu@unlimitedmail.org>:
> On Tuesday 12 May 2009, 11:17, Etaoin Shrdlu wrote:
>
>> > Does ssh-agent really ask you for a passphrase when starting a
>> > shell?
>>
>> Not if you don't invoke it :)
>
> Sorry, that is a bit unclear. Ssh-agent will never ask for a password.
> It's ssh-add that does (if you run it after the agent), assuming the key
> you're adding is password-protected.

Ssh-agent most certainly asks for a passphrase (although it may be
ssh-add that does the actual asking). As soon as I get to my first
login screen (I don't start from a GUI login), and I have logged in,
ssh-agent (or ssh-add, whatever) asks me for a passphrase for the DSA
key it finds. But it consistently ignores the RSA key.

Really, everything is (or at least seems to be) working wonderfully
*for DSA*. As you also indicated, it *should* work for both DSA and
RSA ... except that on my box it doesn't. :-(

Re: [gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

2009/5/12 Philipp Riegger <lists@anderedomain.de>:
> On Sun, 2009-05-10 at 22:18 -0700, Hilco Wijbenga wrote:
> I would recommend you to try
>
> [I] net-misc/keychain
>     Available versions:  2.6.6 2.6.8
>     Installed versions:  2.6.8(19:38:13 04/17/09)
>     Homepage:            http://www.gentoo.org/proj/en/keychain/
>     Description:         ssh-agent manager

I will have a look at that tonight. If that also fails, I guess I'll
try reinstalling everything related to SSH.