[Cialug] ssh-agent and multiple keys
Zachary Kotlarek
zach at kotlarek.com
Fri May 16 21:09:38 CDT 2008
On May 16, 2008, at 6:22 PM, Jeff Chapin wrote:
> In the long run, I am hoping to set it up so that when I first ssh
> to a host for the day, the key for that host is unlocked and added
> to my ssh-agent, with an expiration of say, 6:00pm. That way, I can
> work with unlocked keys per-host for the day, and they get re-locked
> each night (or after an hour, what ever I end up deciding). I
> ultimately do not plan on unlocking them all at once. To add to the
> fun, I am storing my keys on a removable, truecrypt protected USB
> drive -- unlocking them and adding them to ssh-agent allows me to
> unplug and keep the keys in a non-network accessible location.
> Moving forward, I am considering separating out my testing, staging
> and personal keys from the production keys, and putting them on a
> separate USB drive and locking it up.
It is possible to run more than one ssh-agent at a time. As long as
you keep track of all the socket files you could have a whole slew of
different key sets available, and just swap the right one into place
as part of a wrapper for the actual ssh call.
First start the separate agents, with default timeouts of 8 hours:
> eval `ssh-agent -s -k 8h`
> KEY_DOMAIN_1_SOCK=SSH_AUTH_SOCK; export KEY_DOMAIN_1_SOCK;
> SSH_AUTH_SOCK=""; export SSH_AUTH_SOCK;
ssh-agent also outputs its PID, but you don't need that for anything
but to kill it with `ssh-agent -k`. You'd probably want a related call
to ssh-add; how you set that up depends on exactly how and when you'd
like to add keys. Then call ssh with a wrapper like this:
> if [ -z "${1}" ]; then
> echo "Usage: `basename "${0}"` host [key_domain]
> exit 1
> fi
>
> DOMAIN="${1}"
> if [ -n '${2}" ]; then
> DOMAIN="${2}"
> fi
>
> if [[ $DOMAIN =~ 'DOMAIN_1$' ]]; then
> SSH_AUTH_SOCK=$KEY_DOMAIN_1_SOCK
> elif [[ $DOMAIN =~ 'DOMAIN_2$' ]]; then
> SSH_AUTH_SOCK=$KEY_DOMAIN_2_SOCK
> ...
> elif [[ $DOMAIN =~ 'DOMAIN_N$' ]]; then
> SSH_AUTH_SOCK=$KEY_DOMAIN_N_SOCK
> fi
>
> export SSH_AUTH_SOCK
> exec ssh $host
You might need something more robust if you plan to call ssh with any
arguments, but I'm sure you get the picture.
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1682 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20080516/ee0c1ba7/smime.bin
More information about the Cialug
mailing list