Ssh-agent: How to set it up so the CentOS server will only ask for passphrase once

centospasswordsshssh-agent

On my Macbook, my SSH private key is encrypted, but I never have to re-enter the passphrase even if I reboot the machine.

The system must be unlocking it along with my user account.

Is it possible to set it up the same way for my user account on a CentOS server? There should be some sort of option that would basically encrypt the privatekey with the user account password (or at least encrypt the passphrase with the user password). I do not want the private key in plaintext on the hard disk, and would prefer not to have to enter many passwords.

If the answer is no, then I probably will need to enter it once each time the server is booted. That is less good, but since that should be a rare occurrence, that would be tolerable.

Best Answer

You need a keyring or keychain to maintain the ssh-agent auth socket location for you.

On CentOS you can install keychain, see http://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/ for a detail guide on how to setup keychain on CentOS.

Related Solutions

security – How to Determine if Someone’s SSH Key Contains an Empty Passphrase

Well, OpenSSH private keys with empty passphrases are actually not encrypted.

Encrypted private keys are declared as such in the private key file. For instance:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7BD2F97F977F71FC

BT8CqbQa7nUrtrmMfK2okQLtspAsZJu0ql5LFMnLdTvTj5Sgow7rlGmee5wVuqCI
/clilpIuXtVDH4picQlMcR+pV5Qjkx7BztMscx4RCmcvuWhGeANYgPnav97Tn/zp
...
-----END RSA PRIVATE KEY-----

So something like

# grep -L ENCRYPTED /home/*/.ssh/id_[rd]sa

should do the trick.

Disable svn plaintext password storage for all users

You can't.

Whatever you do, your users can bypass it and store their password in a plain text file anyway. If you disable the feature in the client binary, they'll download or compile a different client. As a rule, if you set up obnoxious security measures (such as having to type a password for every svn operation), your users will bypass them in a way that makes security worse. (For example, writing a wrapper script that contains their password. Which they'll leave world-readable.) So don't do that.

To reiterate: you cannot, by technical measures alone, prevent users from storing their password in a file. You can forbid it, but if it makes their life difficult, they'll do it anyway.

If you're concerned about laptop or backup theft, encrypt the users' home directory. This will protect the passwords as well as the data. If the whole home directory is encrypted, the encryption password is usually the same as the login password, for usability reasons. Be sure to have a password backup policy (e.g. a sealed envelope), since losing an encryption password is irrecoverable.

If you're concerned about password reuse, impose a random (hence unique) password, which they will type once and for all into their client. Have a simple process for changing compromised passwords, of course.

Best Answer

Related Solutions

security – How to Determine if Someone’s SSH Key Contains an Empty Passphrase

Disable svn plaintext password storage for all users

Related Question