Hosting Provided By

RE: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it....

From: Fraser, Mike <mfraser(at)dsiddoms.eds.com>
Date: Fri Jun 20 2003 - 08:40:34 EDT

Gary, etal,

The ssh-agent will indeed hold keys for use by ssh related programs. The problem you are hitting is running MULTIPLE copies of the agent, each with its' own copy of the key available only to the calling session and children.

The key to what you want to accomplish is to make sure a SINGLE agent is available to all ssh related programs run by the user. When the ssh-agent is run by the eval it emits two variables into the environment.

	SSH_AGENT_PID=nnnnn
	SSH_AUTH_SOCKET=/tmp/ssh-??????/agent.mmmmm   # or something similar

All children of this session use these variables to communicate with the active agent. The problem is that children of new sessions do not have this information to contact the active agent.

Try adding the following snippet to .profile (for Bourne shells or similar), i.e replace the eval 'ssh-agent'. This will:

1 - Ensure a single copy of the agent.
2 - Point all sucessive sessions for the same user to the ONE active agent.

There are certainly ways to improve this code but it works for me. BTW, you will have to manually do the ssh-add for the first invocation to provide the passphrase.

The one disadvantage I find is that if the system is rebooted, thus killing the active agent, all successive non-interactive sessions will start/find the agent then fail for lack of a loaded key.

Do you need help?

Hope this helps, Mike

# load ssh agent or connect to an existing agent

# File to store agent pointer date
AGT=$HOME/.ssh-agent.out

# do we know of one already?
if [ -z "$SSH_AGENT_PID" ]
then

if [ -f $AGT ]
then

# Use data from prior agent invocation
eval `cat $AGT`
else

# Or start a new agent and connect this session to it

	ssh-agent >$AGT
	chmod 0500 $AGT
	. $AGT


	# May want to ssh-add here

# Make sure PID points to a real ssh-agent & that it's really mine # Caution: the follwing grep will vary across OS/release as 'ps' output changes

if ps -fp $SSH_AGENT_PID | grep -q "^[ ]*$LOGNAME.*ssh-agent$" then

Do you need more help?

echo Agent pid valid # all OK
else

# Nothing useful there at this PID, so start a new agent and
# connect this session to it

	ssh-agent >$AGT
	chmod 0700 $AGT
	. $AGT


	# May want to ssh-add here

fi
fi

-----Original Message-----
From: Wright, Gary [mailto:Gary.Wright@uk.experian.com] Sent: Thursday, June 19, 2003 11:02 AM
To: 'secureshell@securityfocus.com'
Subject: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it....

MANY MANY MANY MANY THANKS to everyone for replying to my email, scp is now working without entering a password or passphrase. It works by entering NO passphrase when creating the key files (on both servers) and by setting (PubkeyAuthentication yes) in sshd_config As soon as these changes were made and the SSHD daemons were re-started, all was fine :-)))

My only remaining question is, isn't it VERY insecure to use NULL pass phrases, all SSH documentation warns against using null pass phrases. Is it not possible to copy file(s) via scp and using passphases ?

Further investigation reveals that you can set a passphrase as recommended and then use the eval 'ssh-agent' and ssh-add commands to add the passphrase to the running agent. This looks great, BUT it appears that a user has to enter the passphrase every time the agent is called. I know I must be missing something as you must be able to add the pass-phrase once only, and then be able to use scp whenever from scripts/cronjobs etc.

Can anyone please tell me how I now complete the final piece of the puzzle and add the passphrase ONCE enabling a user to use scp whenever (interactively,
scripts, cronjobs etc).

Thanks Again for your all your help.

Can we help you?

Regards,

Gary.

Gary Wright
Oracle Technical Team Leader
Host Strategy
Experian Ltd

> * +44 (0)115 934 4672  
> * +44 (0)7967 342 777  
> * +44 (0)115 934 4680			
> * Email: gary.wright@uk.experian.com 
> 
> 
> 


=======================================================================

Information in this email and any attachments are confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other commitment through the use of this email.
Experian Limited (registration number 653331). Registered office: Talbot House, Talbot Street, Nottingham NG1 5HF Received on Fri Jun 20 15:50:56 2003

This message: [ Message body ]
Next message: Greg Wooledge: "Re: trying to use keys...been asked a bunch, didn't find many solutio ns"
Previous message: Danny Con: "Bind problem"
Maybe in reply to: Wright, Gary: "Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it...."
Reply: Galen Johnson: "Re: Going MAD trying to get scp working on Solaris8 - Horah - Its res olved - Or Is it...."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:59 EDT