My Quiet Life My Quiet Life

ssh special

Any good network administrator uses SSH extensively.

Of course, any network administrator also interested in security uses public/private key authentication as opposed to password authentication. ssh-agent adds a wonderful convenience to this system, eliminating the need to enter your password for every host you SSH to. Combined with ssh-agent forwarding (-A or ForwardAgent in ssh_config), you would only have to enter your password once when starting ssh-agent the very first time. See this article for a good lesson in how this works.

In addition, any good sysadmin probably uses screen in some pretty sick and twisted ways.

The problem is: screen and ssh-agent don’t really quite get along. This is because ssh-agent uses an environment variable to point at a socket that ssh uses to pass authentication requests to. If you’re re-attaching to a screen session, however, this environment variable will no doubt be out of date.

Following some advice that I got on the GNU Screen mailing list, I made a few changes that have saved me a lot of headaches.

Basically, I just made my .profile update a symlink to the ssh-agent socket created in /tmp. I then modified my .screenrc to set SSH_AUTH_SOCK to point at THIS file rather than the actual socket. This way it never gets out of date.

.profile:

if [ “x$SHLVL” = “x1” ]; then # we are a login shell
rm -rf /tmp/ssh-agent-sock-screen
ln -s $SSH_AUTH_SOCK /tmp/ssh-agent-sock-screen
fi

.screenrc:

unsetenv SSH_AUTH_SOCK
setenv SSH_AUTH_SOCK /tmp/ssh-agent-sock-screen

Now, when I log into X on my laptop, ssh-agent runs automatically, I add my keys, enter the passwords, and off I go – I never enter another password again!