Skip to main content
Topic: After all these years aspects of ssh still baffle me (Read 169 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

After all these years aspects of ssh still baffle me

I was adding non-passphrase authorization to a few servers I recently put up, and I find myself still lost as to some aspects of ssh, still today after decades of using it.

For example, looking over this entry into a linux forum I found:

Which to me is a REALLY good question

One of the responses is:


The SSH agent handles signing of authentication data for you. When authenticating to a server, you are required to sign some data using your private key, to prove that you are, well, you.

As a security measure, most people sensibly protect their private keys with a passphrase, so any authentication attempt would require you to enter this passphrase. This can be undesirable, so the ssh-agent caches the key for you and you only need to enter the password once, when the agent wants to decrypt it (and often not even that, as the ssh-agent can be integrated with pam, which many distros do).

I never have to autheticate my private key, as a practle matter, and I haven't done so for years.  Am I to infer that my private keys are not password protected?

Confusing me more is that I have public keys generated in files under ~/ssh
Code: [Select]
[[email protected] ~]$ ls -al ./.ssh/
total 56
drwxrwxrwx   2 ruben ruben  4096 Nov 10 11:43 .
drwxrwxrwx 290 ruben ruben 36864 Nov 10 11:44 ..
-rw-------   1 ruben ruben   782 Oct 17  2018 authorized_keys
-rw-------   1 ruben ruben  1675 Sep  4  2016 id_rsa
-rwxrwxrwx   1 ruben ruben   396 Sep  4  2016
-rwxrwxrwx   1 ruben ruben  1905 Oct 31 21:18 known_hosts

Code: [Select]
[[email protected] ~]$ cat ./.ssh/ 
ssh-rsa AAAAB3NzaC1yc2EA..blahblablahIWuiJH4iA [email protected]

So the public key is already generated.  Why do I need to regenerate it?

The SSH agent never hands these keys to client programs, but merely presents a socket over which clients can send it data and over which it responds with signed data. A side benefit of this is that you can use your private key even with programs you don't fully trust.

Another benefit of the SSH agent is that it can be forwarded over SSH.

What is IT?

So when you ssh to host A, while forwarding your agent, you can then ssh from A to another host B without needing your key present (not even in encrypted form) on host A.
what?  If I do that, it is as a user on the middle machine.  A->ssh->B(run shell)->ssh->c(run shell)
data from C is only being relayed back to me because it is being sent to stdout on the shell of B.  I am not directly connected to A->C, nor is there a relay that I am aware of.