[Cialug] ssh-agent and multiple keys

Jeff Chapin chapinjeff at gmail.com
Fri May 16 21:49:39 CDT 2008 

Zachary Kotlarek wrote:
> On May 16, 2008, at 6:22 PM, Jeff Chapin wrote:
>
>> In the long run, I am hoping to set it up so that when I first ssh to 
>> a host for the day, the key for that host is unlocked and added to my 
>> ssh-agent, with an expiration of say, 6:00pm.  That way, I can work 
>> with unlocked keys per-host for the day, and they get re-locked each 
>> night (or after an hour, what ever I end up deciding). I ultimately 
>> do not plan on unlocking them all at once. To add to the fun, I am 
>> storing my keys on a removable, truecrypt protected USB drive -- 
>> unlocking them and adding them to ssh-agent allows me to unplug and 
>> keep the keys in a non-network accessible location. Moving forward, I 
>> am considering separating out my testing, staging and personal keys 
>> from the production keys, and putting them on a separate USB drive 
>> and locking it up.
>
> It is possible to run more than one ssh-agent at a time. As long as 
> you keep track of all the socket files you could have a whole slew of 
> different key sets available, and just swap the right one into place 
> as part of a wrapper for the actual ssh call.
>
> First start the separate agents, with default timeouts of 8 hours:
>
>> eval `ssh-agent -s -k 8h`
>> KEY_DOMAIN_1_SOCK=SSH_AUTH_SOCK; export KEY_DOMAIN_1_SOCK;
>> SSH_AUTH_SOCK=""; export SSH_AUTH_SOCK;
>
> ssh-agent also outputs its PID, but you don't need that for anything 
> but to kill it with `ssh-agent -k`. You'd probably want a related call 
> to ssh-add; how you set that up depends on exactly how and when you'd 
> like to add keys. Then call ssh with a wrapper like this:
>
>> if [ -z "${1}" ]; then
>>     echo "Usage: `basename "${0}"` host [key_domain]
>>     exit 1
>> fi
>>
>> DOMAIN="${1}"
>> if [ -n '${2}" ]; then
>>     DOMAIN="${2}"
>> fi
>>
>> if [[ $DOMAIN =~ 'DOMAIN_1$' ]]; then
>>     SSH_AUTH_SOCK=$KEY_DOMAIN_1_SOCK
>> elif [[ $DOMAIN =~ 'DOMAIN_2$' ]]; then
>>     SSH_AUTH_SOCK=$KEY_DOMAIN_2_SOCK
>> ...
>> elif [[ $DOMAIN =~ 'DOMAIN_N$' ]]; then
>>     SSH_AUTH_SOCK=$KEY_DOMAIN_N_SOCK
>> fi
>>
>> export SSH_AUTH_SOCK
>> exec ssh $host
>
> You might need something more robust if you plan to call ssh with any 
> arguments, but I'm sure you get the picture.
>
>     Zach
> ------------------------------------------------------------------------
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>   
I will have to play with this this weekend.. This seems EXACTLY what I 
needed!

Thanks!

More information about the Cialug mailing list