Security / Tools

SSH Made Easy with SSH Agent and SSH Config

27 Aug 2021 3:00am, by

Chances are pretty good you use Secure Shell to log into remote servers.  SSH is well-known for being a (mostly) secure protocol that not only makes remote administration/development simple, it’s also one of your best tools for interacting with your cloud-hosted virtual machines. In fact, without SSH, working remotely on Linux machines, be they hosted in the cloud or an on-premise data center, would be a major challenge, if not entirely impossible.

So good thing SSH is highly configurable and easy to work with. Right?

You might be wondering how any tool that’s primarily used from the command line could be easy to work with. Fortunately, SSH includes several features and add-ons to help simplify and secure its usage.

Today, I want to introduce you to are two very specific SSH tools: ssh-agent and the SSH config files.

What is SSH Agent?

The ssh-agent tool, in conjunction with SSH key authentication, makes it possible for you to start a session and, as long as you are within that session, you can log in and out of a remote server without having to type an SSH password or authentication passphrase. Once you’ve finished with your remote work, end the session and all is well.

But how do you work with this feature? Let me show you.

Before we do, we need to set up SSH key authentication. To do this, head over to the machine you’ll be using to log into the remote server and open a terminal window. From there, create a new SSH key with the command:

ssh-keygen

Once you’ve created your SSH key, you’ll then need to copy it to the server you’ll be logging into. Do that with the command:

ssh-copy-id SERVER

Where SERVER is the IP address or domain of the remote server.

Now, when you attempt to SSH into the remote server, it will ask you for your SSH keyphrase instead of your user password.

First step taken care of.

Now, how do we make use of ssh-agent? Easy. From the terminal, issue the command:

eval ssh-agent

You will be returned an Agent PID and then back to your terminal. You might think, “Nothing has changed!” But it has. You’re now in an SSH Agent session.

Next, add your SSH key with the command:

ssh-add

You will be prompted for your SSH key passphrase.

Attempt to SSH to the remote server again. This time, you won’t be prompted for your password or passphrase, you’ll simply be allowed in. Exit out of that remote session and attempt to log in again. Same results. This behavior will continue until you close the SSH Agent session with the exit command.

The Big Caveat

You’ve probably already figured out the caveat to using SSH Agent. You might have exited out of that SSH session, but failed to exit from the SSH Agent session. Should that be the case, anyone with the password to your desktop and the IP address/domain of your remote server can start a new remote session. Because of this, it’s imperative that you either always lock your desktop environment or remember to exit the SSH Agent session when you’re done. Fail to do either one of those things, and you leave yourself open for trouble.

SSH Config

Now that we’ve helped to make your SSH remote sessions a bit more secure by way of SSH key authentication and SSH Agent, we can now make it a bit more convenient. SSH includes a very handy feature in the SSH config file. This file is located in your ~/.ssh directory and is simply called config.

With the SSH config file, you can create individual configurations for your various SSH connections. This is a means of really simplifying all your SSH connections. For example: Let’s say you have several servers you frequently remote into and each connection uses a different username. Let’s call those servers:

  • AWS
  • GoogleCloud
  • Azure
  • Web
  • DB

And with each of those connections you log in with a different user name, so:

  • AWS – olivia
  • GoogleCloud – bethany
  • Azure – trinity
  • Web – janet
  • DB – chenica

What if, instead of having to type out the entire SSH command  — as in ssh olivia@SERVER – where SERVER is the IP address of your AWS-hosted virtual server — you could simply type:

ssh AWS

You can do just that. Let me show you how. I’ll demonstrate on macOS, but the process is the same if you’re using Linux as the client.

Create a new configuration file by opening the terminal application and issuing the command:

nano ~/.ssh/config

Each config entry will look something like this:

The above configuration breaks down like this:

  • Host — the nickname you’ll use for the host.
  • HostName — the IP address or domain of the remote server.
  • User — the username associated with the remote account.
  • IdentityFile — the location of your SSH key authentication file for the account.

Obviously, if you’re using SSH key authentication for each account and the usernames are different, you’ll have to create SSH authentication keys for each user and have read access to those files from the user account that will be launching the SSH sessions.

Create entries for each of those remote servers. So the file could look something like this:

Where ADDRESS is the IP address or domain of your remote server.

Save and close that file.

The next time you need to log into one of those connections, all you’d do is use any one of the following commands:

ssh AWS

ssh GoogleCloud

ssh AZURE

ssh WEB

ssh DB

That’s it. And if you use this in conjunction with ssh-agent, you’re life has become even easier.

Conclusion

Having to constantly SSH into and out of machines, the repetition can get tedious. And if you have a large number of servers you remote into, you might not even remember the remote IP/ domain addresses or the usernames associated with those remote accounts. Using ssh-agent and the SSH config file can go a long way to making your work a bit more efficient.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Bit.

Feature Photo by Kristina Flour on Unsplash.

A newsletter digest of the week’s most important stories & analyses.