Setting up ssh

(Angie Hinrichs – April 2003)

Jorge helped me set up ssh-agent in my Gnome session -- that means that I can type a passphrase once when I log in on my workstation, and then don't have to keep typing my password every time I ssh to another machine (as long as it can see the public key of my passphrase).

Here are the steps to set this up in your Gnome session on a barnyard workstation, if you're interested. Let me know if you run into any problems, have questions/comments etc.

These steps should be done on a barnyard/SOE workstation (not hgwdev etc):

1.      Make a passphrase that you will type in once when starting up your X windowing session. From the ssh-keygen manpage: “A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters.”

ssh-keygen -t dsa

[type in a passphrase]

2.      Create the config files that use ssh-agent to run gnome-session. Make sure you don't already have a .Xclients -- or back it up if you do. If you don't want Gnome, don't do this step -- try editing your existing .Xclients to add "ssh-agent" just before the command that starts your session. NOTE FROM JORGE: It looks like Red Hat 9 automatically sets up ssh-agent to run by default on X sessions, so this step is unnecessary on that version of the OS.

echo "exec ssh-agent /usr/bin/gnome-session" > ~/.Xclients

chmod a+x .Xclients

3.      Add ssh-add to the list of programs that run whenever your session starts. Here's how to click your way to this if you use Gnome:

Gnome -> Programs -> Settings -> Session -> Session Properties & Startup Programs

[Add ssh-add]

4.      If you don't already have a ~/.ssh/config file:

cp /etc/ssh/ssh_config ~/.ssh/config

5.      Uncomment/edit or add these lines in ~/.ssh/config:

Host *

ForwardAgent yes

ForwardX11 yes

6.      Add your newly created public key to both your /cse/... homedir and your /cluster/home/... homedir's ssh config.

cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys2

cat ~/.ssh/id_dsa.pub >> /cluster/home/$USER/.ssh/authorized_keys2

7.      Log out and log in again on your workstation. When you log in, you might need to select the "Default" session it will look at your ~/.Xclients file. A prompt for your passphrase should appear. Even if it gets buried under other windows, it should still keep the keyboard input. So, if you just type in your passphrase, you should not see it appear in any windows that might have buried the prompt box. After that, when you ssh to other machines, it should not ask you for your password. The agent will forward as long as it is configured to do so and you don't move between SSH.COM and OpenSSH ssh daemons.