This will prompt you for a secret passphrase. If this is your primary identity key, make sure to use a good passphrase. If this works right you will get two files called id_dsa and id_dsa.pub in your .ssh dir. Note: it is possible to just press the enter key when prompted for a passphrase, which will make a key with no passphrase. This is a Bad Idea for an identity key, so don't do it! See below for uses of keys without passphrases.
Copy the id_dsa.pub file to the other host's .ssh dir with the name authorized_keys2.
This will start the ssh-agent, add your default identity(prompting you for your passphrase), and spawn a bash shell. From this new shell you should be able to:
This should let you in without typing a password or passphrase. Hooray! You can ssh and scp all you want from this bash shell and not have to type any password or passphrase.
Now this is all well and good, but who wants to run their whole life from a single bash instance? If you use an X window system, you can type your passphrase once when you fire up X and all subprocesses will have your keys stored.
This will prompt you for your passphrase when you start up X, and then not again. All shells you spawn from X will have your keys stored.
[pkeck@hurly /]$ ssh -l paulkeck burly
cat foo.pub |ssh burly 'sh -c "cat - >>~/.ssh/authorized_keys2"'
ssh-keygen -t dsa -f ~/.ssh/whoisit
Just press return when it asks you to assign it a passphrase- this will make a key with no passphrase required. If this works right you will get two files called whoisit and whoisit.pub in your .ssh dir.
We want to work on it a little. tempfile should consist of one really long line that looks kind of like this:
ssh-dss AAAAB3NzaC1k[...]9qE9BTfw== email@example.com
command="echo I\'m `/usr/ucb/whoami` on `/usr/bin/hostname`",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1k[...]9qE9BTfw== whoisitnowThat will do what we want on Solaris; to try this example on Linux use this:
command="echo I\'m `/usr/bin/whoami` on `/bin/hostname`",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1k[...]9qE9BTfw== whoisitnow
The stuff to prepend is your command that will be run when this key is activated, and some options to keep it from being abused (hopefully). The last thing on the line is just a comment, but you probably want to set it to something meaningful.
Also, most examples I see use no-pty as an additional option, but this messes up the carriage-return/linefeediness of the output of the above example. (Try it.) I haven't looked into it enough to see why you would want it, but there you go.
Append tempfile to your authorized_keys2 file on burly.
The following also works but is cumbersome:
ssh-agent sh -c 'ssh-add ~/.ssh/whoisit < /dev/null && ssh burly'
You can also append this "command key" to a different account's
authorized_keys2 file and trigger it from a different
username. You just need the secret key. Like so:
ssh -i ~/.ssh/whoisit -l paulkeck burly'
The next leap in the pattern is something like this:
ssh -i /home/pkeck/.ssh/whoisit -l paulkeck burly'
This could be run by any user on the box if they could read your secret key, so always keep your .ssh dir and all your keys chmodded to 700 and 600 respectively.
You can send the stuff on STDIN with something like this on the triggering
ssh-agent sh -c 'ssh-add ~/.ssh/whoisit < /dev/null && cat alarm.au | ssh burly'
ssh-agent sh -c 'ssh-add ~/.ssh/whoisit < /dev/null && tar cf - /home/pkeck | ssh burly'
Maybe for that one the corresponding command to "catch" that stream would be:
cat - > ~/backups/pkeck.tar.`date +%Y%m%d.%H-%M-%S`
You get the idea! Go crazy!
Tape examples from Ed Cashin's Gettin' Fancy with SSH Keys, my inspiration for getting into this whole thing!