Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
December 27, 2004, 2:35 am
rate this thread
We are using OpenSSH to secure our Oracle connection. On the client
system we have generated the id_dsa and appended the public key for the
same to the authorized_key file on the remote systems $HOME/.ssh
during iniating the connection we are prompted for the passphrase of
the key. The passphrase is a must for our requirement. The connection
is established once the corrcet passphrase is entered.
Our requirement is to automate the entry of passphrase, means there
shouldn't be any human intervention.
I went through some suggestions on net, which suggest to use ss-agent
and ssh-add and configure some environment variables. As I am new to
this technology,can any one please guide me with step-by-step
instructions to configure ssh-agent and the others to achive my goal.We
are NOT using any xsession.
Re: configuring ssh-agent to automate passphrase for the key
Requirement duly noted.
This second requirement contradicts the first. A human *has* to enter
the passphrase at least once, otherwise your system is somehow deafeating
security by storing the passphrase in the clear.
You can use ssh-agent to create an intermediate system where the
passphrase is entered only once. (It should be "once per day" or
"once per session", otherwise you are effectively back to a system
without a passphrase.) ssh-agent is used from the command line
in the following way:
$ eval $(ssh-agent -s)
The command "ssh-agent -s" creates a background process (the agent)
and prints output that looks like this:
SSH_AUTH_SOCK=/tmp/ssh-OsrzU24442/agent.24442; export SSH_AUTH_SOCK;
SSH_AGENT_PID=24443; export SSH_AGENT_PID;
echo Agent pid 24443;
when captured in a shell $(...) construct and passed to the shell "eval"
function, it causes the parent shell to create the environment variables
SSH_AUTH_SOCK and SSH_AGENT_PID. The first of these is used to communicate
with the background agent. The second variable, SSH_AGENT_PID, is used
only to stop a running agent, via the command
eval $(ssh-agent -k)
All processes subsequently started by the shell have a copy of
After starting the agent, you load the private key:
Enter passphrase for <key file>:
and it is the "ssh-add" command that prompts you for a passphrase.
The "ssh-add" command uses $SSH_AUTH_SOCK to communicate with the agent.
At this point, all ssh processes started by this shell, or by other
processes started by this shell, can usie $SSH_AUTH_SOCK to obtain
signatures from the agent. Maybe all you need to do is run ssh-agent
and ssh-add before starting your Oracle thing for the day.
If you need use the agent from processes that are not descendents
of your starting shell, for example cron jobs, then those processes
will have to search for the running agent's socket. They should
look in /tmp for a directory of the form "ssh-*" containing a single
file "agent.*", of type "socket", owned by their userid and to
which they have read and write permission. They can then set their
own SSH_AUTH_SOCK environment variable to the name of the socket,
after which they will be able to run ssh commands that use the
Your policy could require a human officer to start an agent in the
morning and kill it at the end of the business day, for example.
pa at panix dot com
- » how to invoke SSH-ADD to read passphrase from a file
- — Next thread in » Secure Shell Forum
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum