[Cialug] ssh-agent and multiple keys
Jeff Chapin
chapinjeff at gmail.com
Fri May 16 17:04:12 CDT 2008
I have a slight issue that I am looking for advice on regarding ssh
keys, and ssh-agent.
I am looking to use ssh-agent with a large number of hosts, with one key
per host. It appears that ssh-agent is pretty "stupid" when it comes to
offering keys to a server.
Here is a contrived, simplified example:
$ for x in `seq 1 10`; do ssh-keygen -t dsa -f key-$x.dsa;done
<snip -- keys generated>
$ ssh-add -l
The agent has no identities.
$ ssh-add ./*.dsa
Identity added: ./key-10.dsa (./key-10.dsa)
Identity added: ./key-1.dsa (./key-1.dsa)
Identity added: ./key-2.dsa (./key-2.dsa)
Identity added: ./key-3.dsa (./key-3.dsa)
Identity added: ./key-4.dsa (./key-4.dsa)
Identity added: ./key-5.dsa (./key-5.dsa)
Identity added: ./key-6.dsa (./key-6.dsa)
Identity added: ./key-7.dsa (./key-7.dsa)
Identity added: ./key-8.dsa (./key-8.dsa)
Identity added: ./key-9.dsa (./key-9.dsa)
Now I have 10 keys loaded up, and I will load the "correct" key for the
server in question:
$ ssh-add ./real.rsa
Enter passphrase for ./real.rsa:
Identity added: ./real.rsa (./real.rsa)
Now, in theory, I can 'ssh my-user at my-domain.com -v' and watch things work:
$ ssh my-user at my-domain.com -v
<snip -- un-needed debugging>debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: ./key-10.dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: ./key-1.dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: ./key-2.dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: ./key-3.dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: ./key-4.dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: ./key-5.dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: ./key-6.dsa
Received disconnect from : 4.2.2.1: Too many authentication failures for
y-user
As you can see ssh-agent just went down the list of keys, trying them
one at a time, and eventually pissed off my server before finding one
that works.
I have found various ways (-i, IdentityFile directives) that address
this with key-files -- they let you specify the keyfile to use, which
then prompts to get unlocked with each use, but not an identity in
ssh-agent.
Ultimately, I would like to get a system where I can unlock a key and
add it to ssh-agent for some period of time (until the end of the work
day, for instance) and only unlock it once a day as a cross between
using a password/passphrase each session and going passphrase-less. This
would also allow me to store my ssh-keys on a USB drive and keep the
drive in my pocket most of the day, and not worry about
mounting/using/unmounting throughout the day.
Any advice, or solutions to this would be appreciated.
More information about the Cialug
mailing list