Skip to content

Instantly share code, notes, and snippets.

@yousecjoe

yousecjoe/how-to-setup-ssh-agent.md

Last active June 18, 2024 05:00
Show Gist options
  • Save yousecjoe/01a2674bce66ae9bcca5f8a94774c31c to your computer and use it in GitHub Desktop.
Save yousecjoe/01a2674bce66ae9bcca5f8a94774c31c to your computer and use it in GitHub Desktop.
Download ZIP
How To setup ssh-agent
Raw
how-to-setup-ssh-agent.md

How To: Setup SSH Agents

Summary

If you connect to many different environments for management and development using SSH, an SSH agent configuration reduces friction.

An SSH (Secure Shell) Agent is a background program that uses key-based authentication to establish secure connections with remote servers without the need for re-entering passwords each time. It stores private keys in memory, allowing multiple sessions to connect using those keys directly from the agent, thus improving efficiency and security when managing SSH connections.

How To

A traditional way to configure this access is to use the command:

ssh-add -K ~/path/to/my/identity/file

Then using the command:

ssh -A [email protected]

The problem is every time I reboot my mac, the agent is cleared and I have to look up and go through all of those steps again.

So, I’ve outlined a few steps to remove the extra setup

Configuring the SSH config file

The SSH configuration file acts as a master configuration for which your SSH client can connect to the downstream services.

It allows you to specify host aliases to prevent having to type the fully qualified hostname, the user to use when using certain aliases, and the identity file used to connect to the instance

First, navigate to your ~/.ssh folder

Next, open the config file:

cd ~/.ssh
sudo nvim config

Enter your configuration as follows

First, we will set a global rule for all hosts

Host *
    AddKeysToAgent yes

Note - This step is only needed if ALL of your hosts use a bastion and you need to use the SSH agent to pass your identity file down the stream, if only some of your hosts need this, you can just add the AddKeysToAgent yes line to the hosts you want to run this for, or even specify a host prefix such as Host *.domain.com

Next, specify your individual host configuration lines with aliases

Host my_alias
    HostName my.fully.qualified.server.com
    User remote_user_name
    IdentityFile ~/path/to/my/identity/file

The my_alias is what you will use to connect.

Note - If you specify the User line this user will always be used. Otherwise, you can omit this and specify the user each time you connect.

Aliasing the SSH client

Note - Simply running this configuration will not automatically connect with the ssh-agent. You must still specify the -A flag to enable it. To work around this, we can add an alias for the SSH to automatically append that flag for us.

Create an alias for SSH to override the default SSH command to always use -A.

First, navigate to your home directory.

Next, create or modify your shell profile.

Bash profile: ~/.bash_profile

cd ~
nvim .bash_profile

Zsh profile: ~/.zprofile

cd ~
nvim .zprofile

Enter the following line into the editor

alias ssh='ssh -A'

This tells the shell that every time we use SSH we actually want ssh -A to be executed. Now, every time a new command window is opened, this alias will automatically be created.

Run the following command to immediately load your configuration into the current session:

source .bash_profile

Testing your setup

From here, feel free to execute ssh my_alias to verify that you can SSH into the remote host.

Going one step further

If you are connecting to hosts behind a "jumpbox" or "bastion" host, it’s helpful to skip the second connection request after calling the first connection request to the bastion host.

We can accomplish this by modifying our ~/.ssh/config file to automatically pass down the aliases.

First, modify the SSH configuration.

sudo vim ~/.ssh/config

Previously, we had the following:

Host *
    AddKeysToAgent yes
Host my_alias
    HostName my.fully.qualified.server.com
    User remote_user_name
    IdentityFile ~/path/to/my/identity/file

We will modify the existing configuration for my_alias to match BOTH my_alias and *.my_alias (eg. web1.my_alias )

Host *
    AddKeysToAgent yes
Host hostname *.subdomain.domain
    HostName hostname.subdomain.domain
    User remote_user_name
    IdentityFile ~/path/to/my/identity/file

This will ensure anything with the suffix of .my_alias will also use the my_alias configuration while preserving my_alias to just connect to the bastion host

Now, we will add a new alias configuration for the protected server

Host web1.my_alias
    RemoteCommand ssh web1.protected.local
    RequestTTY force

There are simply two lines here:

RemoteCommand is the command that is immediately executed on the machine upon first login. We execute ssh followed by either the ip address or the hostname of the host.

RequestTTY will ensure that we always get back a shell console for us to run future commands manually.

If we were just executing a command and quitting, we could omit this.

Save the configuration file and connect to the second host by executing ssh host.subdomain.domain and get back the command console for the second host.

When we run exit it will automatically log out of both instances

Conclusion

In this article, we learned

  • How to create an alias for the ssh command to always enable the SSH Agent.
  • How to use the ~/.ssh/config file to create aliases for our long domain names or IP addresses, add a user, and specify the identity file to use for the connection
  • How to extend the ~/.ssh/config file to execute remote commands to automatically log into to a protected instance to simply future logins
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment