{"id":553,"date":"2011-11-30T18:09:04","date_gmt":"2011-11-30T18:09:04","guid":{"rendered":"http:\/\/tech.avant.net\/q\/?p=553"},"modified":"2012-12-25T22:38:42","modified_gmt":"2012-12-25T22:38:42","slug":"ssh-agent-across-multiple-hosts","status":"publish","type":"post","link":"https:\/\/tech.avant.net\/q\/ssh-agent-across-multiple-hosts\/","title":{"rendered":"ssh agent across multiple hosts"},"content":{"rendered":"

I would like secure single-sign-in across multiple hosts. An easy way to do this is with ssh-agent, however, ssh-agent is a bit limited.<\/p>\n

For example, the normal use of ssh-agent looks like this,<\/p>\n

\r\n$ ssh-agent\r\nSSH_AUTH_SOCK=\/tmp\/ssh-stSwW11394\/agent.11394; export SSH_AUTH_SOCK;\r\nSSH_AGENT_PID=11395; export SSH_AGENT_PID;\r\necho Agent pid 11395;\r\n<\/pre>\n
You would need to set those environment variables to use the newly created agent, and then use ssh-add to add your credentials, e.g.,<\/p>\n
\r\n$ eval `ssh-agent`\r\nAgent pid 11464\r\n$ ssh-add\r\nEnter passphrase for \/home\/foobar\/.ssh\/id_dsa: \r\nIdentity added: \/home\/twarnock\/.ssh\/id_dsa (\/home\/foobar\/.ssh\/id_dsa)\r\n$ ssh-add -l\r\n1024 84:e3:23:7b:f4:22:a2:da:53:fb:04:19:67:78:2b:3d \/home\/foobar\/.ssh\/id_dsa (DSA)\r\n$\r\n<\/pre>\n
From here you can access any hosts that has your public key in ~\/.ssh\/authorized_keys<\/p>\n
However, any new shell instances on this same host would have to go through this process. Ideally, I want to login ONCE and ONLY ONCE while working across multiple hosts.<\/p>\n
The following code snippet can be added to your .bashrc which maintains a single agent across multiple shells per host, and also respects ssh auth forwarding.  This code will also work in situations where your home directory is mounted across multiple hosts (maintaining an ssh-agent per host as needed, depending on where you login first).<\/p>\n
\r\n# ssh agent -- for shared home directory across hosts\r\nSSH_ENV=$HOME\/.ssh\/.environment.`hostname`\r\nfunction start_agent {\r\n  echo \"Starting a new ssh-agent on this host\"\r\n  ssh-agent | sed 's\/^echo\/#echo\/' > ${SSH_ENV}\r\n  chmod 600 ${SSH_ENV}\r\n  . ${SSH_ENV} > \/dev\/null\r\n  ssh-add;\r\n  echo succeeded\r\n}\r\n\r\n## ssh-agent\r\nif [ -e \"$SSH_AUTH_SOCK\" ]; then\r\n  echo \"Using ${SSH_AUTH_SOCK}\"\r\nelif [ -f \"${SSH_ENV}\" ]; then\r\n  echo \"Using ${SSH_ENV}\"\r\n  . ${SSH_ENV} > \/dev\/null\r\n  ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > \/dev\/null || {\r\n    echo \"${SSH_ENV} agent is no longer running\"\r\n    start_agent;\r\n  }\r\nelse\r\n  start_agent;\r\nfi\r\n<\/pre>\n
With this scenario you typically need to only login once per work session (regardless of which host you first login to). And with appropriate use of ssh auth forwarding, e.g., ssh -A user@host<\/em>, you can jump around from host-to-host without constantly typing in the same password.<\/p>\n","protected":false},"excerpt":{"rendered":"
I would like secure single-sign-in across multiple hosts. An easy way to do this is with ssh-agent, however, ssh-agent is a bit limited. For example, the normal use of ssh-agent looks like this, $ ssh-agent SSH_AUTH_SOCK=\/tmp\/ssh-stSwW11394\/agent.11394; export SSH_AUTH_SOCK; SSH_AGENT_PID=11395; export SSH_AGENT_PID; echo Agent pid 11395; You would need to set those environment variables to use […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14,5],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts\/553"}],"collection":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/comments?post=553"}],"version-history":[{"count":4,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts\/553\/revisions"}],"predecessor-version":[{"id":705,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/posts\/553\/revisions\/705"}],"wp:attachment":[{"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/media?parent=553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/categories?post=553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.avant.net\/q\/wp-json\/wp\/v2\/tags?post=553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}