DEV Community

Cover image for How to use SSH properly and what is SSH Agent Forwarding

How to use SSH properly and what is SSH Agent Forwarding

Levi Velázquez on August 23, 2018

The SSH (Secure Shell) is widely used to provide secure access to remote systems, we have few ways to do it. Basically, everybody who uses it knows...
Collapse
 
slavius profile image
Slavius

Just a note:

default ssh-keygen does not generate secure enough keys. At least on Ubuntu 18.04 it generates RSA based, 2048 bit key, which is considered weak already.
While generating 4096 RSA bit key is possible (and may be still required to ssh into systems using old versions of ssh) it is beneficial to switch to shorter but computationaly more expensive elliptic curves like ed25519.

To further increase security against brute-forcing in case your key was stolen, you should specify to save the key in new format (the old one is really weak) by using -o and additionally to specify to use many KDF function rounds to secure the key using -a 100 or more.

The final command then should be:

/usr/bin/ssh-keygen -o -a 100 -t ed25519
Enter fullscreen mode Exit fullscreen mode
Collapse
 
levivm profile image
Levi Velázquez

Oh, nice to know it, thx a lot, going to update it.

Collapse
 
killrazor profile image
Tyler Christian

This doesn't address dangling agents. Each time you 'eval $(ssh-agent -s)' you are creating a new process. This will leave stranded processes that aren't cleaned up and don't die with timeouts. There is a method to reuse a PID rather than recreating each time.

Collapse
 
woodbri profile image
Stephen Woodbridge

I have this problem also. It would nice to know the correct way to handle this in .bash_login, .profile, .bashrc, .bash_logout files so if an agent already exists, it is reused, or on logout the agent is removed. I often have ssh sessions broken by connection failures so the session is not logged out.

Collapse
 
metabarj0 profile image
Sebastien Levy

Hey, if it can help, I've a repo containing a tiny script that handle that.
The way it works is pretty simple: it exposes an alias named ssh-auth that ask to authenticate the first time it is used and then re use an existing agent if invoked in a different terminal. Just, ensure to look at both .bashrc_ssh-auth.sh as well as .bashrc files : github.com/MetaBarj0/configs/tree/....
Let me know if it helps.

Collapse
 
veslorens profile image
Yves Lorenzo

Is it possible to re-use the same key-pair files with other local machines to access the server?

Collapse
 
levivm profile image
Levi Velázquez

Yep, just copy them over there and that’s it. Repeat the process.

Collapse
 
veslorens profile image
Yves Lorenzo

Thank you :)

Collapse
 
zrml profile image
Luca

when I test the agent forwarding with the ssh command to github as in
$ ssh -T git@github.com
I get:
git@github.com: Permission denied (publickey)

I guess it's not working then...
any hint on debugging where I might have gone astray? Thanks Levi; useful.

Collapse
 
levivm profile image
Levi Velázquez

Sorry, I didn't see your comment, you already solved it ?

Collapse
 
mhogerheijde profile image
Matthias Hogerheijde

I would propose mentioning ssh-copy-id over manually editing ~/.ssh/authorized_keys.

ssh-copy-id takes the same -i argument, so if you use a non-standard location for your key, lets say ~/foo/bar/id_rsa and ~/foo/bar/id_rsa.pub, then

$ ssh-copy-id -i ~/foo/bar/id_rsa user@remote-machine

will open ssh, ask for password, copy the ~/foo/bar/id_rsa.pub file into ~/.ssh/authorized_keys on the remote.

Otherwise

$ ssh-copy-id user@remote-machine

will copy whatever keys it finds to the remote (might be multiple!)

Collapse
 
susensio profile image
Susensio

It says private key has a .pub extension appended, but its the other way around, pub is for public

Collapse
 
levivm profile image
Levi Velázquez

Thx, was a typo.

Collapse
 
digitalchris profile image
Digital Chris

"The private key will have .pub appended to its name"

What do I even say to this.

Collapse
 
levivm profile image
Levi Velázquez

I fixed it, was a typo.

Collapse
 
packeteer profile image
packeteer

I believe SSH agent forwarding is considered harmful, and it is better to use ProxyCommand instead

Collapse
 
tdpoker profile image
tdpoker

How to make it as if we access a website, we use the website provided vpn?

Collapse
 
esaliya profile image
Saliya Ekanayake

How to handle the case where your git uses a different key than the one you use to login to the remote host?

Collapse
 
levivm profile image
Levi Velázquez • Edited

You can add keys to SSH Agent Forwarding, so you can use 1 key for sshintg into the remote host and the other one for pulling from github.

Note: you don't forward the key itself, you forward the agent, so basically, you can add many keys as you want.

You can check here how to do it
superuser.com/questions/1140830/ss...

Collapse
 
oleggromov profile image
Oleg Gromov

Adding the key to ssh-agent is what I've been missing.
Thank you Levi!

Collapse
 
capdragon profile image
CaptDragon

You forgot to add the "-A" in your "Testing SSH agent forwarding" example.
This works great with my Yubikey, thanks!

Collapse
 
levivm profile image
Levi Velázquez

Oh yes, you right, thanks for it.