ssh-ident: Hello relatively painless ssh-agent

As anyone who consults to multiple clients knows, ssh-agent can be a lifesaver, but it can equally be a huge hindrance.

Take the following scenario: * You are a consultant * You work with 10 different clients * Each client requires you to use a ssh-key to access their services

Now, many people would argue that “Well, you could just use one key for them all.” Note, however, this approach is not in any way secure [1]. If that single key gets compromised, you now have to notify all of your clients, working with them to ensure your affected key is replaced. This can be really frustrating if they do not have good automation or a proper LDAP structure in place.

So then, what are you to do? Well, naturally, you create a separate ssh-key for use with each client. Awesome! Now you have a bunch of keys, each with a different passphrase (if you’re being security conscious anyway). Ok, so you don’t want to type all of these passwords every time you login, so enter ssh-agent. You go ahead, store all of your ssh-keys in your recently started ssh-agent, and go to log in to various servers to make sure it’s working.

What do we have here? An issue! “Too many authentication failures for <username>”.

What the? Why are we having issues now? Well, the answer to this one is relatively simple. When you use ssh-agent, it will hand off every key it has stored until one is accepted, or until the server rejects the multiple attempts. Ok, great. So now you have ssh-agent, but you can’t use it because you have too many keys. So you google around, find out about IdentitiesOnly, and decide to give it a shot. Well, the irony of IdentitiesOnly is that many times, it bypasses the agent, thus you are back to entering the password again [2] . Awe man, back to the drawing board.

But wait, there is hope! A nifty little project exists on github, a project called ssh-ident. This project was developed for those of us with multiple keys. It aims to separate your logins and keys into a manageable framework, so to speak.

So, how do we get started with this nifty little tool? Well, first, you will want to grab a copy of it. I already have projects on github, so I simply cloned it via ssh.

To help you get started, here’s a sneak peak into a part of how I configure my dotfiles:

  • Create a directory: ~/Projects
mkdir ~/Projects
  • Clone ssh-ident into ~/Projects
git clone [email protected]:ccontavalli/ssh-ident.git ssh-ident
  • Add a check to see if ssh-ident/ssh-ident exists in your .(bash|zsh)rc
if [ -f ~/Projects/ssh-ident/ssh-ident ]; then
  alias ssh=~/Projects/ssh-ident/ssh-ident
  echo "ssh-ident has been discovered, enabling"
else
  echo "ssh-ident appears to be missing. no action taken"
fi
  • Create a ~/.ssh-ident config file — At the very minimum, you will need to identify some patterns, in my case, I use the argv method, as it seems the most flexible, as opposed to trying to remember to execute ssh from any given path.
DEFAULT_IDENTITY = "ida"
MATCH_ARGV = [
  (r"texta", "ida"),
  (r"textb", "idb"),
  (r"textc", "idc"),
  (r"textd", "idd"),
]
  • Create ssh-ident identities folders
mkdir -p ~/.ssh/identities/id{a..d}

Now, now that you have some stuff configured, how do you actually make it work? Well, assuming you have used the above as a guide, you would have 4 identity sets: a, b, c, d.

By default, ssh-ident looks for keys that have any of the following filenames:

  • id_*
  • identity*
  • ssh[0-9]-*

Awesome, so we can move our existing keys into the folders, so when we are done, we might have:

  • ~/.ssh/identities/ida/id_rsa
  • ~/.ssh/identities/idb/id_rsa
  • ~/.ssh/identities/idc/id_rsa
  • ~/.ssh/identities/idd/id_rsa

Ok, we’re looking good. There is a caveat though. The ssh-ident specifically looks for the keys using the .pub; I plan on making a patch to change this in the near future as it seems silly, but it does indeed require both the secure and the public file.

Now, assuming you have your .pub and your id_rsa secure files in your .ssh/identities folders, you can test it out:

ssh [email protected]

When you run it, you will see something similar to:

Preparing new agent for identity ida
Loading keys:
/home/<username>/.ssh/identities/ida/id_rsa
Enter passphrase for /home/<username>/.ssh/identities/ida/id_rsa:

Congratulations, your new ssh-ident agent manager is now running. If you would like to see how it works, feel free to read the python script. It has a lot of documentation too.

Hopefully I have left another scar in your life, forcing you to spend some time playing with this new tool!

-Villain

[1] See Security - A safer authentication
[2] For whatever reason, the behavior/expected behavior of IdentitiesOnly seems to cause issues in ssh-config, It is supposed to work using IdentitiesOnly, but many people report issues.

Comments

villains-lab forums