Ssh-agent
Encyclopedia
ssh-agent is a program that used together with OpenSSH
or similar SSH
programs provides a secure way of storing the passphrase of the private key.
Public-key cryptography
plays the central role in the idea of logging in to a server from a local machine via SSH. The main point is that a key pair will be generated consisting of a private key and a public key. The public key is available for everyone and often stored on public key servers. Any user has access to this key, whereas the private key must be kept secretly. It is used to decrypt any message encrypted with the public key.
A password-based authentication process (in the common example of OpenSSH) may be vulnerable to brute-force attacks, if no mechanism is in place to detect them. To circumvent this lack of security, ssh supports public key authentication. In order to login securely to a remote system via a secure shell, a private key/public key pair is generated. The private key is stored on the local machine. The public key is stored on the target machine in the
.
The ssh daemon validates the key response, and if valid, grants access to the system.
that listens for SSH connections. The user simply starts
When the agent starts, it creates a new directory in
There is a possibility to try to prevent malware
from using the
, whenever
On the local system, it is important that the root user is trustworthy, because the root user can, amongst other things, just read the key file directly. On the remote system, if the ssh-agent connection is forwarded, it is also important that the root user is trustworthy, because they can access the agent socket (though not the key).
operating system, ssh-agent has been integrated since Leopard. Third-party open-source implementations of ssh-agent were available previously, and are still popular with some users.
OpenSSH
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
or similar SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
programs provides a secure way of storing the passphrase of the private key.
Public-key cryptography
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
plays the central role in the idea of logging in to a server from a local machine via SSH. The main point is that a key pair will be generated consisting of a private key and a public key. The public key is available for everyone and often stored on public key servers. Any user has access to this key, whereas the private key must be kept secretly. It is used to decrypt any message encrypted with the public key.
A password-based authentication process (in the common example of OpenSSH) may be vulnerable to brute-force attacks, if no mechanism is in place to detect them. To circumvent this lack of security, ssh supports public key authentication. In order to login securely to a remote system via a secure shell, a private key/public key pair is generated. The private key is stored on the local machine. The public key is stored on the target machine in the
$HOME/.ssh/authorized_keys file. Public keys are not sensitive information and may be known to anybody, whereas the private key needs to be protected very carefully by a strong passphrase. Using multiple servers is made easier by using ssh agent. ssh-agent remembers the passphrase so that the user does not need to type it every time he or she wants to connect or send data to the server.Principle
The verification to the server is based on challenge-response authenticationChallenge-response authentication
In computer security, challenge-response authentication is a family of protocols in which one party presents a question and another party must provide a valid answer to be authenticated....
.
ssh connects to the server with a user name and the request for a key. The ssh daemon gets the request and sends back a challenge based on the public key stored in the authentication file.ssh uses the private key to construct a key response, and sends it to the waiting sshd on the other end of the connection. It does not send the private key itself.The ssh daemon validates the key response, and if valid, grants access to the system.
ssh-agent simplifies this by creating a socketUnix domain socket
A Unix domain socket or IPC socket is a data communications endpoint for exchanging data between processes executing within the same host operating system. While similar in functionality to...
that listens for SSH connections. The user simply starts
ssh-agent, telling it how to find their keys (if they are not in the default location), enters the passphrase for each key to be used, on a one-time basis, and then ssh-agent handles the rest every time the user connects to a remote server.Security issues
ssh-agent creates a socket and then checks the connections from ssh. Everyone who is able to connect to this socket also has access to the ssh-agent. The permissions are set as in a usual linux/unix system.When the agent starts, it creates a new directory in
/tmp with restrictive permissions. The socket is located in the folder.There is a possibility to try to prevent malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
from using the
ssh-agent socket. If the ssh-add -c option is set when the keys are imported into the ssh-agent, then the agent requests a confirmation from the user using the program specified by the SSH_ASKPASS environment variableEnvironment variable
Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer.They can be said in some sense to create the operating environment in which a process runs...
, whenever
ssh tries to connect.On the local system, it is important that the root user is trustworthy, because the root user can, amongst other things, just read the key file directly. On the remote system, if the ssh-agent connection is forwarded, it is also important that the root user is trustworthy, because they can access the agent socket (though not the key).
Status on Mac OS X
On the Mac OS XMac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
operating system, ssh-agent has been integrated since Leopard. Third-party open-source implementations of ssh-agent were available previously, and are still popular with some users.
External links
- ssh-agent man page from OpenSSHOpenSSHOpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
release (part of the OpenBSDOpenBSDOpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
project). - third-party alternative ssh-agent front-end for Mac OS X
- another third-party alternative ssh-agent front-end for Mac OS X
- "Using ssh-agent with ssh"
- An Illustrated Guide to SSH Agent Forwarding
- security aspects