ssh-agent
從 github 上看到
SSH agent forwarding can be used to make deploying to a server simple. It allows you to use your local SSH keys instead of leaving keys (without passphrases!) sitting on your server.
剛好很適合我最近再整理 ssh key 的需求。因為都換成實體金鑰(fido or tpm)整合模式,所以遠端的電腦要怎麼用 ssh key 來作認証,這時候 ssh-agent 就幫了大忙。
實作1 用 fido security key:
from desktop
id_ecdsa_sk.pub 已經先上傳到github
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ecdsa_sk
ssh -A serverfrom server
主機內確認沒有任何 private key,但是可以用 ssh-agent 當作認証登入github
ssh git@github.com // 不會有提示,要再10秒內按一下fido security key
PTY allocation request failed on channel 0
Hi Thomas! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed. 實作2 用 TPM security key:
和上面差異的只有 TPM security key
from notebook
public key 已經先上傳到 github
eval "$(ssh-agent -s)"
ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
ssh -A server其他注意
ssh/configure
可以考慮設定
AddKeysToAgent yes
ForwardAgent yes但我沒有,反而需要的時候再手動重新ssh-add ; ssh -A就好!
ssh-agent
一般比較常用 ssh-add -l 來看agent有沒有啟動、有沒有已經載入的 key!
不同 linux 不見得都會自動跑 ssh-agent ,所以如果要利用已經自動跑的ssh-agent可以這樣:
ps ax | grep ssh-agent 觀察 bind_address 位置與 PID
$ ps ax | grep ssh-agent
1319 ? Ss 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/ssh-agent.socket
export SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket
export SSH_AGENT_PID=1319
ssh-key -l如果找不到,可能就是沒有啟動agent 那就 eval "$(ssh-agent -s)"即可啟用動!
reference:
https://www.howtogeek.com/devops/what-is-ssh-agent-forwarding-and-how-do-you-use-it/
https://docs.github.com/en/authentication/connecting-to-github-with-ssh/using-ssh-agent-forwarding
https://stackoverflow.com/questions/44250002/how-to-solve-sign-and-send-pubkey-signing-failed-agent-refused-operation
https://stackdiary.com/linux-docs/ssh-add/