Friday, August 19, 2011

Ubuntu 11.4 using Gnome Keyring as a SSH agent

It has been a long time since I tried public key authentication for SSH (2005 was the last time I did this).

Well since then 'Gnome Keyring SSH Agent' has been added by Linux distributions, as I found out to my surprise when I typed the following into Linux terminal:

ssh roy@example.com

I got the following pop-up, which I did not expect:



I expected the following message because I created non standard named key (i.e. roy_ssh_key) and did not specify the identity file when running ssh command:

Permission denied (publickey).

'Gnome Keyring SSH Agent' found both the public (roy_ssh_key.pub) and private (roy_ssh_key) keys in the directory ~/.ssh and was trying to load the private key into 'Gnome Keyring SSH Agent' and was asking for the private key password.

If you enter the private key password in the 'Unlock private key' dialogue then the private key is loaded into the SSH agent, then any tempts in the future to ssh it will try to use the private key in the agent.

The following command showed me that the agent had loaded my private key:

ssh-add -l

2048 4e:a9:25:8b:05:0d:c7:a5:25:eb:5e:92:6a:e7:aa:8a roy@dell.pc (RSA)

This fingerprint will match the public key in ~/.ssh

If you reboot your machine and then log back in Gnome Keyring SSH Agent automatically loads the private key this time without asking you for the password. It will protect the private key password using login password for user account that holds the private key in ~/.ssh

You can check to verify that this is the case by running this familiar command:

ssh-add -l

But I feel unease with this feature, where Gnome Keyring SSH Agent automatically loads files in ~/.ssh, which have corresponding *.pub paired files. One solution to stop automatically loading private keys is to remove the corresponding *.pub from ~/.ssh

No comments: