Blog

Back to foundations: SSH

July 5, 2024
Ssh Keys
,
Ssh
,
Ssh Tunnel
,
Security
,
DevOps
,
Sergio Rua

Introduction

If you follow me on Medium, you may be wondering why I decided to write a blog post about something so basic. Well, as it turns out, it’s not! I’ve lost count of how many times I’ve had to explain why copying SSH private keys to various locations is a security risk, and why using ssh-agent is a far superior approach. It’s become clear that many professionals, even those with considerable experience, aren’t fully aware of best practices in this area. Let’s get into it!

Using SSH Agent to Simplify Key Management

SSH agent is a powerful tool that can streamline your workflow when connecting to remote servers via SSH. By securely storing your private keys in memory, ssh-agent allows you to authenticate without entering passphrases repeatedly. Furthermore, you can configure SSH to forward your SSH key to bastions and then use it again to jump over to target servers:

Let’s explore how to set up and use ssh-agent effectively.

Starting SSH Agent

To begin using ssh-agent, you first need to start it:

eval $(ssh-agent -s)

This command starts the ssh-agent process and sets the necessary environment variables. You would want to add this to your shell, for example in bash I would use ~/.bashrc.

# Start SSH agent
if [ -z "$SSH_AUTH_SOCK" ]; then
    eval $(ssh-agent -s)
    trap 'kill $SSH_AGENT_PID' EXIT
fi

# Add your SSH keys
ssh-add -q ~/.ssh/id_rsa 2>/dev/null

If like me you’re one of the cool guys and you’re using zsh you can set it up instead with the oh-my-zsh plugin:

plugins=(git ssh-agent)

Adding other keys to SSH Agent

Once the ssh-agent is running, you can add your private keys and any other additional key use.

ssh-add ~/.ssh/id_rsa-my-other-key

You’ll be prompted to enter the key’s passphrase once (yes, you should be creating ssh keys with passphrases!)

To verify the keys added to the agent, use the following command to list the installed SSH keys.

ssh-add -l

Using SSH Agent with Remote Connections

With your keys added to ssh-agent, you can now connect to remote servers without entering your passphrase each time:

ssh user@remote-server

SSH will automatically use the keys stored in the agent for authentication. I usually configure this behaviour in my ~/.ssh/config explicitly to allow me to disable it if I need to. For example:

Host remote-server
  User myuser
  Hostname IP
  ForwardAgent yes # the imporant line

Proxying SSH connections

ProxyCommand allows you to seamlessly connect to servers behind a bastion host without manually setting up SSH tunnels. The great thing about using ssh-agent is you won’t need to copy the ssh key to the bastion as this will be all done by ssh instead.

This is one of my pet peeves, seeing how often people copy keys around.

I must warn you that proxying is not considered a good practice but I have to admit I do it often, it’s just very convenient. In an ideal world, you should block your bastion for permitting forwarding connections.

Host bastion
    HostName bastion.example.com
    User bastionuser
    ForwardAgent yes

Host internal-server
    HostName 10.0.0.5
    User internaluser
    ForwardAgent yes
    ProxyCommand ssh bastion -W %h:%p

With this, you can ssh directly to internal-server from your desktop.

Best Practices for Security

While ssh-agent is convenient, it’s important to use it securely:

1. Set a timeout: Use ssh-add -t <time>to set an expiration time (in seconds) for your keys in the agent.

2. Remove unused keys: When you’re done, remove keys from the agent with ssh-add -D

3. Always exit sessions: Terminate ssh-agent when you’re finished to avoid leaving active keys in memory.

4. Be cautious with agent forwarding: Only use agent forwarding with trusted servers to prevent potential key misuse.

5. Use different keys for different purposes: This limits exposure if one key is compromised. I use different keys per customer, for git repos, bastions, etc

SSH Agent and macOS Keychain

On macOS, you can integrate ssh-agent with the Keychain for added convenience:

ssh-add -K ~/.ssh/id_rsa

This stores your key’s passphrase in the macOS Keychain, allowing the ssh-agent to automatically re-add keys after a reboot[1].

Conclusion

SSH agent is a powerful tool that can significantly improve your SSH workflow. By securely managing your keys and eliminating the need for repeated passphrase entry, it strikes a balance between security and convenience. However, always remember to follow best practices to ensure your keys remain protected.

By mastering ssh-agent, you’ll streamline your remote server management while maintaining robust security practices.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Read More

View all
Category one
Category two
Category three
Category four
Category

How to run Kubernetes on premises for beginners

It is easier than you thought
Read more
Category

Collecting metrics, traces and logs

Simplicity is better
Read more
Category

The risks of AI to your data

Is your company at risk?
Read more

Ready to Transform 

Your Business?

Let’s Talk