Thursday, June 7, 2018

Passing Keys ssh-agent




Recently I had a need to pull a github repo onto a remote server.  When faced with this I would usually just pull using https for example run a clone command like this…


 > git clone  https://github.com/patmandenver/slack-webhook.git


Which works just fine for an open repo, but if it’s a private repo you are forced to put in my username password not only when I clone, but every time I pull or push.

Not much fun.  I would rather pull via ssh and not have to worry about this.




I could copy my private ssh key to the remote box and clone it via ssh protocols, but then my private key is a remote box that I may share with other developers… Bad idea.

Or I could create a new public/private key on the remote box for my user and add the public key to my account on github.  A little better, but still other developers on the box could possibly access my new private key on the box, which would allow them to push/pull as me in github… Again not ideal.


There is another option I ran across, and I am now using, to use ssh-agent tool to forward your keys when you ssh to the box https://www.ssh.com/ssh/agent [1]

Dangers


You may want to read this article on some of the dangers of using this command https://security.stackexchange.com/questions/101783/are-there-any-risks-associated-with-ssh-agent-forwarding [2]

Long story short while you are logged into the remote box other admins on the box, think root access, could utilize your ssh key and pretend to be you.   But I like this reduced risk vs keeping my key or creating a new key on the box.




Using it


Start the ssh-agent


 > eval $(ssh-agent)





Now add your private keys  using the ssh-add tool


 > ssh-add ~/.ssh/id_rsa





As a double check run this to list your keys


 > ssh-add -l





There she be J


Now ssh to a box and use the -A option to enable forwarding of the authentication agent connection to the machine you are ssh’n to.

Here is my example
 (Of course replace haproxy with your hostname J )


 > ssh -A haproxy




As another double check you can run this command on the machine you just logged into via ssh to confirm the key was sent along


 > ssh-add -l





Wahoo it worked… Now if I try to run a git clone via ssh…



 > git clone git@github.com:EXAMPLE/some-private-repo.git




 Done deal J


That fulfills my needs J
Now there are lots of other useful things you can do with this such as use it to ssh to yet another box which contained your public key.





References

[1]        ssh-agent
           https://www.ssh.com/ssh/agent
                Accessed 06/2018
[2]        Are there any risks associated with SSH agent forwarding?
                Accessed 06/2018




No comments:

Post a Comment