Skip to content

ssh

ssh-agent

ssh agent keeps track of your keys and enables login without having to type passwords every time. Normally it is started by the system.

1 S kees        7060    7017  0  80   0 -  1517 -      Sep01 ?        00:00:00 /usr/bin/ssh-agent mate-session
0 S kees        9880    7012  0  80   0 -  1517 -      Sep01 ?        00:00:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh

You could start it by hand, but mostly there is no need to.

You can add new keys with ssh-add, it can also be used to list your current keys.

ssh-add -l
2048 SHA256:eGmmeo13q9NbRQUZguMi1v+kpcxVRWCj9rK9AHNIlCo /home/kees/.ssh/id_rsa (RSA)
3072 SHA256:ofH8FK3LtcnaGpcOIcEGVPqlDHVa6T5kkdhP5sssw1M kees@hoek (RSA)
256 SHA256:BtL7zaxi0qoPaGgDMnDDCTp47o0db5JJ669gwHadOyg kees@hoek (ED25519)
2048 SHA256:ybxPjx3dowYsCsY5W3SU+kXgNoM+Sc2nBncnbG66oMY ssh-key-2020-11-25 (RSA)

These are :

  • my ssh key for hoek
  • mu ed25519 key for UVT
  • two other keys i forgot about

However there are 4 .pub files in my ~/.ssh directory so the count matches.

Adding a key kan be done explicitly or implicit :

ssh-add
Identity added: /home/kees/.ssh/id_rsa (/home/kees/.ssh/id_rsa)

It just adds some standard key locations like :

  • ~/.ssh/id_rsa
  • .ssh/id_dsa
  • ~/.ssh/id_ecdsa,
  • ~/.ssh/id_ed25519
  • ~/.ssh/identity

Note that if you ssh in to another machine running ssh-agent, you will inherit the keys from the machine you started from. This became apparent when trying to checkout the solver code from gitlab onto the hp machine which had no keys whatsoever installed. 

Permission denied (publickey).

However you can see the keys in use with

ssh-add -l
2048 SHA256:eGmmeo13q9NbRQUZguMi1v+kpcxVRWCj9rK9AHNIlCo /home/kees/.ssh/id_rsa (RSA)
256 SHA256:5EC0qd4r8bNJ8YtrFFp0rROtJufG/cK52AaogFIT8yM kees@a01c4504-bbe6-4b09-a151-38fa795c4671 (ED25519)
3072 SHA256:ofH8FK3LtcnaGpcOIcEGVPqlDHVa6T5kkdhP5sssw1M kees@hoek (RSA)
256 SHA256:9imvR28s1McBTikJOrfxkLGaX8Zva/ptoJn49t+lC/o kees@hoek (ED25519)
256 SHA256:dqSlFAbETY3VW1jY0I+xG1lbvw5a0vBdh46MjIio3ps doc_key (ED25519)
256 SHA256:/9/LRDamw6dE8CLzUBi3awbLSNtgvCRr+FRZb4Y8FJQ kees@hoek (ED25519)

The first key points to ~/.ssh/id_rsa but ~/.ss only had one file known_host. You can see how it works by starting a vm and logging in with ssh.

On the VM itself :

ssh-agent -l
The agent has no identities

Logged in from hoek on the same machine

ssh-agent-l
2048 SHA256:eGmmeo13q9NbRQUZguMi1v+kpcxVRWCj9rK9AHNIlCo /home/kees/.ssh/id_rsa (RSA)
256 SHA256:5EC0qd4r8bNJ8YtrFFp0rROtJufG/cK52AaogFIT8yM kees@a01c4504-bbe6-4b09-a151-38fa795c4671 (ED25519)
3072 SHA256:ofH8FK3LtcnaGpcOIcEGVPqlDHVa6T5kkdhP5sssw1M kees@hoek (RSA)
256 SHA256:9imvR28s1McBTikJOrfxkLGaX8Zva/ptoJn49t+lC/o kees@hoek (ED25519)
256 SHA256:dqSlFAbETY3VW1jY0I+xG1lbvw5a0vBdh46MjIio3ps doc_key (ED25519)
256 SHA256:/9/LRDamw6dE8CLzUBi3awbLSNtgvCRr+FRZb4Y8FJQ kees@hoek (ED25519)

Note that this remains ONLY on the ssh session, the other shells remain having no identities. So ssh-agent keeps the keys in the local memory of the login session.

ssh forwarding

ssh has options to forward port from localhost to (-L) a remote host and vice-versa (-R). Basic operation is like this : map port 8888 on your localhost to the webserver on another host (othermachine) :

map localhost:8888 to othermachine:80
1
localhost> ssh -L 8888:localhost:80 othermachine

Now when you open your browser, on your local machine with url visit you get the website on othermachine. This does not however work on other machines. So if your machine is mymachine, visit fails to give the correct website. You could do this in the opposite direction on the host othermachine with the -R option: (again your localhost is mymachine)

same but done on the other machine (othermachine)
1
othermachine> ssh -R 8888:localhost:80 mymachine

Both involve a 'normal' login over which all extra transactions are tunnelled, so during the whole tunnel you have a login session just like a normal ssh login. And terminating this login means terminating the tunnel. So beware this is not port forwarding in the iptables sense. You do not assign a port An example, i would like to reach the port of othermachine whenever i open the url visit from anywhere in the world. This means forwarding all traffic on that port to port 80 on othermachine. This means at least a ssh tunnel from obelix 8989:localhost:80 to othermachine. That way you con open visit on obelix itself and it will work. But what about the rest of the world ?? See the next sections for an attempt :