Ubuntu – How to enter ssh passphrase key once and for all

encryptionpassphrasepasswordssh

I have set up a password-less setup for ssh that uses public key authentication to connect with desired remote server, everything has been working quite well.

I'm using passphrase to unlock the private key, using this solution— the problem is it asks password everytime I start my system.

I found this to be troublesome, I want to enter it only once and for all so the next time I boot up the session I won't have to enter it again, is there something like cached key that holds up my passphrase and works across session (also survive a reboot) ?

Would it be possible to achieve all of this whilst keeping my ssh passphrase intact ?

Best Answer

You want to use keychain.

The keychain program manages an instance of the key cache program ssh-agent. When ssh-agent is started, two environment variables are created to be eval'd. Normally when the shell is closed where ssh-agent has been started, those environment variables are lost. The keychain program keeps track of those variables across logins and provides shell scripts in the ~\.keychain directory.

There are several ways to run keychain, one method is manually from the command line. Each time you start the shell, use:

eval `keychain --eval`

This will find ssh-agent if it's running, and start it if it's not. Either way, using eval on keychain will set the necessary environment variables where you can add keys using:

ssh-add <private-keyfile>

If private-keyfile has a password, you will be prompted to enter that password during the execution of ssh-add, but as long as ssh-agent is running that will be the last time you need to enter the password for the private key.

Because the eval of keychain sets the SSH_AUTH_SOCK environment variable, any run of ssh will use the ssh-agent to accomplish the authentication.

Another suggestion is to add the keychain execution to your .bashrc file, as suggested in this StackExchange answer.

To terminate keychain just enter the command:

keychain --stop mine

or if you want to bring down all the instances of ssh-agent, enter the command:

keychain --stop all

Just a note, using services such as ssh-agent defeat the security of passworded private key files by storing those authenticated keys in memory. This is not safe, especially with memory side-channel attacks. If you're not interested in key security, the simpler solution is to remove the password on the private key as suggested by @vidarlo.

Related Solutions

Ubuntu – How to avoid typing ssh-add everytime

I have installed keychain.

sudo apt-get install keychain

If you're running bash you need to add a few commands to your .bash_profile If you do not have a .bash_profile create one in your home folder. Add these lines:

### START-Keychain ###
# Let  re-use ssh-agent and/or gpg-agent between logins
/usr/bin/keychain $HOME/.ssh/id_dsa
source $HOME/.keychain/$HOSTNAME-sh
### End-Keychain ###

At the start of a work day I will login. When I open a terminal, I will be prompted once for my passphrase. For all other new terminals and connections I will not be asked for my passphrase again.

Ubuntu – Key based SSH login that requires both key AND password

There are two ways to configure ssh to require both a public key and a password or passphrase.

The difference between the password and the passphrase:

The password in this context is the password assigned to the user in the server computer (the board). If the board has only one user account, then it will have only one password. If the board has multiple user accounts, they should have their unique passwords.

The passphrase is linked to the private key in the client (local) computer, not to the remote server (board) computer. Thus, if you use two different client computers of devices to ssh from, then you will have to create a passphrases for the private keys stored in each local computer. Similarly, if two different users need to ssh to the server (board) from their own respective local computers, they will need their own private-public key pairs and own passphrase to unlock their respective private keys.

For example, say you and I need to ssh to the same server computer (the board) from our own laptops. You will have your own private key and a passphrase for that private key. I will have my own private key and its passphrase. The upshot of this arrangement is, I can change the passphrase of my private key any time without telling you, or changing anything to the server computer (the board). I can even remove the passphrase from my private key without telling you.

The other scenario is, if I have multiple servers to ssh to and if I use the same private key to authenticate myself to all the servers, I will need to use the same passphrase to access ssh in all the servers I work with, not just your board.

Method 1. Public Key with passphrase

Reference: https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Step 1. Add a passphrase to the existing public-private keyfor each client and user combinations

For each user on each client computer or device use the following command to generate a passphrase for the exiting public-private key pair:

ssh-keygen -p

You wil be prompted for the the location where to keep the files. Hit enter to accept the default location.

If you already have a passphrase set, you will be asked to enter the existing passphrase. In that case you have already done this step. Press Ctrl+C to stop the process.

Next you will be prompted to enter a new passphrase. Do not hit Enter! Enter a long and difficult to guess passphrase that is easy to remember. You will be asked to re-enter the passphrase.

If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:

ssh-keygen -t rsa

Every time you try to login to the ssh server, you will be asked to enter this passphrase. This can be different for the user password of the ssh server. Each user can have their own passphrase. If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client. She can choose different passphrase for different clients.

Step 2. Copy the public key to the server only if the key is new

In your client computer enter:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@board_ip

It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.

Repeat for all the users and all client devices.

Step 3. Test if it works

Try to login to the server by entering:

ssh user@board_ip

If all goes well, you will be prompted to enter the passphrase you created in step 2. This is not the user password you were asked in step 3.

If you see the prompt to enter the user password, then something is not right. Do not proceed to the next step, until you get this working.

Step 4. Disable password based login

Once each user and their respective client devices have their own public-private key pairs and respective passphrases of their choice, you won't need the password based login. It is best to disable this method. Keeping it enabled will allow anyone without the public-private key pair to try to guess the password of the user@board-ip.

In the ssh server, the board, edit the file /etc/ssh/sshd_config and change:

#PasswordAuthentication yes

to read:

PasswordAuthentication no

Note, the # is not there in the second line and the yes is now no.

Restart the ssh service in the server by:

sudo service ssh restart

If this does not work, reboot the board.

It is done. The passphrase is cached in the client probably by Gnome-Keyring until the user logs out of the local computer. Thus, the phass-phrase is asked only once per session.

What comes next is another alternative. You need to do either 1 or 2.

Method 2. Public key and user password both required

Reference: https://security.stackexchange.com/questions/17931/possible-to-use-both-private-key-and-password-authentication-for-ssh-login

Step 1. Remove passphrase from Private key if present, for each client and user combinations

For each user on each client computer or device use the following command to remove the existing passphrase for each public-private key pair:

ssh-keygen -p

You will be prompted for the the location where to keep the files. Hit enter to accept the default location.

If you have an existing passphrase you will be asked to enter it. If you don't get prompted for existing passphrase, you are done. Press Ctrl+C to stop the process.

Otherwise enter the existing passphrase and continue.

Next you will be prompted to enter a passphrase. Hit Enter twice to remove the existing passphrase from the private key.

If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:

ssh-keygen -t rsa

If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client.

Step 2. Copy the public key to the server only if the key is new

In your client computer enter:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@board_ip

It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.

Repeat for all the users and all client devices.

Step 3. Test if public keys are being used

Try to login to the server by entering:

ssh user@board_ip

If all goes well, you will not be prompted to enter any password or passphrase. This is normal. This shows that the public key is properly installed in the ssh server (the board) and it is working. We will change the setting so that it asks for the password again in the next step.

Step 4. Setup for both public key and password

AuthenticationMethods "publickey,password"

Warning: Make sure the the PasswordAuthentication looks like:

#PasswordAuthentication yes

This is the default behavior. You may choose to keep or remove the # in the beginning. However, if this setting is set to no along with the line you just added, then nobody will be able to login to the server using ssh. If you get locked out, you will have to physically go to the remote server, hook it up to keyboard, monitor, etc. and login locally and edit this file to fix the problem.

End Warning

Restart the ssh service in the server by:

sudo service ssh restart

If this does not work, reboot the board.

Step 5. Test breaking in

Find a new computer or login to the client computer using a new username, say user2. This user should not have any public-private key pairs in his /home/$USER/.ssh/ folder. We will pretend that user2 is the hacker who has somehow found out the password of user@board_ip and try to ssh into that system.

Enter as user2, from the client computer:

ssh user@board_ip

If you can login with just the password, then it did not work. Anyone who has the password or can guess it, can login to the board. They do not need the key.

If you get a permission denied and login fails, then the double authentication of public key and password works.

Hope this helps