Re: ssh-agent: I want to start using on all my remote hosts

[Tom Browder]

On Sat, Jun 4, 2022 at 13:52 john doe  wrote:

> On 6/4/2022 8:28 PM, Tom Browder wrote:
> > On Sat, Jun 4, 2022 at 10:02 Andy Smith  wrote:
> > ...
> >
> > You seem to be very reboot-happy. I recommend understanding the
> >> impact of the changes you will make instead of assuming you need to
> >> reboot to make them effective.
> >
> >
> > Andy. I know I'm "reboot happy," but it's lazyness (no other users at the
> > moment) and fading memory for little-used details.
> >
>
> At the very least, you should document what you do! :)


Actually I do and have my current ssh set up documented. And it includes
note on how to restart the ssh service. (I'm not even sure if ssh-agent was
around with the original ssh.)

If I recall correctly, you are setting up a server for production use,
> rebooting might not be an option  when this server is put in production.


As I said, I'm still the only user, and the droplet I'm experimenting with
boots up quickly at the moment (and it's not in production yet). So
lazyness reigns for now  ;-D

-Tom

Re: ssh-agent: I want to start using on all my remote hosts

[john doe]

On 6/4/2022 8:28 PM, Tom Browder wrote:

On Sat, Jun 4, 2022 at 10:02 Andy Smith  wrote:
...

You seem to be very reboot-happy. I recommend understanding the

impact of the changes you will make instead of assuming you need to
reboot to make them effective.



Andy. I know I'm "reboot happy," but it's lazyness (no other users at the
moment) and fading memory for little-used details.



At the very least, you should document what you do! :)

If I recall correctly, you are setting up a server for production use,
rebooting might not be an option  when this server is put in production.

--
John Doe

Re: ssh-agent: I want to start using on all my remote hosts

[Tom Browder]

On Sat, Jun 4, 2022 at 10:02 Andy Smith  wrote:
...

You seem to be very reboot-happy. I recommend understanding the
> impact of the changes you will make instead of assuming you need to
> reboot to make them effective.


Andy. I know I'm "reboot happy," but it's lazyness (no other users at the
moment) and fading memory for little-used details.

But I do appreciate your help.

-Tom

Re: ssh-agent: I want to start using on all my remote hosts

[Andy Smith]

Hello,

On Fri, Jun 03, 2022 at 09:43:53AM -0500, Tom Browder wrote:
> 1. Will starting the ssh-agent service interfere with my current ssh login
> (using keys with NO passhrase).

It only matters at the point of authentication, so existing SSH
sessions will not be affected.

> 2. Is there anything to do to start the service other than:
> 
> edit file /etc/ssh/sshd_config to uncomment
> 
> #AllowAgentForwarding yes

The directive you are proposing to uncomment defaults to "yes", so
you need not make any change.

> reboot

You seem to be very reboot-happy. I recommend understanding the
impact of the changes you will make instead of assuming you need to
reboot to make them effective.

In this case you do not need to make a change to your sshd's config,
but if you *did*, it would only be affecting sshd not anything else
on the system. So you'd only need to restart sshd.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: ssh-agent: I want to start using on all my remote hosts

[Andy Smith]

Hello,

On Fri, Jun 03, 2022 at 09:52:26AM -0500, Tom Browder wrote:
> And edit file /etc/ssh/ssh_config to change
> 
> # ForwardAgent no
> 
> to
> 
> ForwardAgent yes
> 
> Then reboot.

This is a config file for the ssh client, i.e. the "ssh" command.
As such it's read every time you run ssh and you do not need to
reboot the system after changing its configuration.

Also, the file you mention is the system-wide configuration file,
but the change can also be made on a per-user basis by editing
~/.ssh/config.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

[rhkramer]

Ahh, thanks Greg, I can now see those missing parts of the article -- it was 
NoScript, but, seeing most of the graphics in the article, somehow NoScript 
didn't come to mind as the cause of the problem.



On Friday, June 03, 2022 02:29:45 PM Greg Wooledge wrote:
> On Fri, Jun 03, 2022 at 01:16:45PM -0500, Tom Browder wrote:
> This happens ALL THE TIME when I use NoScript.
> 
> > I briefly looked at the article and didn't notice anything missing. Maybe
> > if you could take some screen shots in those areas we could help.
> 
> The first one I found is after this sentence:
> 
>   Copy it to a file on CA server and run the command:
> 
> NoScript initially reports 3 domains:
> 
>   betterprogramming.pub
>   cloudflareinsights.com
>   medium.com
> 
> Telling NoScript to Temp.Trust all 3 of these domains fixes this one
> (for me).  And once I do that, NoScript now reports that there are 7
> domains.  One of them (github.com) is already trusted, so you might need
> that one as well -- I don't know.
> 
> I'm sure you're used to this, if you're a NoScript user.

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

[Tom Browder]

On Fri, Jun 3, 2022 at 13:46  wrote:

> On Friday, June 03, 2022 02:16:45 PM Tom Browder wrote:
> > I briefly looked at the article and didn't notice anything missing. Maybe
> > if you could take some screen shots in those areas we could help.
>
> Thanks for the reply, and thanks, I'll do that.
>
> I guess you intentionally replied off list, but that means I can attach
> some
> screen shots without worrying about whether that violates a list policy.


Hm, no I don't see that I replied off list, maybe you're having a browser
problem of some kind as you hinted.

-Tom

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

[David Christensen]

On 6/3/22 08:46, rhkra...@gmail.com wrote:

On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote:

I have been using ssh for logging in to my remote hosts for many years, but
I have NOT been using ssh-agent.


I'm intentionally not addressing your specific questions.

For me, your post is rather timely, because I'm digging into ssh and was
trying to understand the different methods of authentication and trying to
decide what was best for me.  (I have a SOHO with up to 5 nodes at time (right
now only 3.)

 From some of my reading, ssh certificates seem to be highly recommended,
although it has seemed difficult for me to get all the details I want.

The best resource I've found so far is:

https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-
and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc

One problem with that article is that it seems that there are about 3 blanks
in it where, for example, the text mentions something like ~"use this command"
and then there is a big blank spot.  (I've tried viewing the page in 2 to 4
different browsers, depending on how you count them -- some older versions of
firefox, a fairly recent version of firefox, and an older version of konqueror).

I've looked for a way to contact the author but haven't found anything so far.

Some of the advantages of certificates are (iiuc):

* maybe a simpler setup, after you understand how to do it

* easier to manage the keys / authentication (specifically, if you need to
revoke permissions for a user you can do it in one place

* apparently the security can be somewhat better (maybe a result of the
previous bullet, but I think some other things as well)

* you can make the transition gradually -- you can keep the "old" public
key authentication in place (and continue to use it when, where, and if
needed) while you transition some server(s) and user(s) to certificates.

I thought I'd call your attention to this for your consideration -- perhaps
with both of us investigating and asking questions as needed, we both might
make quicker progress.

In any event, have a good day!



"Public key infrastructure" is large and complex; I am still climbing a 
subset of its many learning curves.



I own and recommend "TLS Mastery" by Michael W. Lucas:

https://mwl.io/nonfiction/networking#tls


David

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

[Greg Wooledge]

On Fri, Jun 03, 2022 at 01:16:45PM -0500, Tom Browder wrote:
> On Fri, Jun 3, 2022 at 10:46  wrote:
> > 
> >
> > One problem with that article is that it seems that there are about 3
> > blanks
> > in it where, for example, the text mentions something like ~"use this
> > command"
> > and then there is a big blank spot.

This happens ALL THE TIME when I use NoScript.

> I briefly looked at the article and didn't notice anything missing. Maybe
> if you could take some screen shots in those areas we could help.

The first one I found is after this sentence:

  Copy it to a file on CA server and run the command:

NoScript initially reports 3 domains:

  betterprogramming.pub
  cloudflareinsights.com
  medium.com

Telling NoScript to Temp.Trust all 3 of these domains fixes this one
(for me).  And once I do that, NoScript now reports that there are 7
domains.  One of them (github.com) is already trusted, so you might need
that one as well -- I don't know.

I'm sure you're used to this, if you're a NoScript user.

Re: ssh-agent: I want to start using on all my remote hosts

[David Christensen]

On 6/3/22 07:43, Tom Browder wrote:

I have been using ssh for logging in to my remote hosts for many years, but
I have NOT been using ssh-agent.

I have checked all those hosts looking for the env var SSH_AGENT_SOCK which
one website says should be defined if the ssh-agent process is running, but
none have that defined.

Now I'm ready to start but I want to start with one host to make sure my
work flows aren't interrupted. Some questions:

1. Will starting the ssh-agent service interfere with my current ssh login
(using keys with NO passhrase).



Entering passphrases every time you issue an SSH-enabled command is a 
PITA.  I also used keys without passwords before I discovered 
ssh-agent(1) and ssh-add(1).  Now all of my keys have passphrases.  You 
should create new SSH keys with strong passphrases.




2. Is there anything to do to start the service other than:


On 6/3/22 07:52, Tom Browder wrote:
> On Fri, Jun 3, 2022 at 09:43 Tom Browder  wrote:

> And edit file /etc/ssh/ssh_config to change
>
>  # ForwardAgent no
>
> to
>
>  ForwardAgent yes
>
> Then reboot.


If you change /etc/ssh/ssh_config, there is no need to reboot.  I enable 
ForwardAgent on all of my hosts, so that I can login via ssh(1) and use 
cvs(1) over SSH.



If you change /etc/ssh/sshd_config, then you need to send a HUP signal 
to sshd(8), restart sshd(8), or reboot.



If you want to use your SSH key to login to root accounts, verify 
PermitRootLogin is set to (or defaults to) "prohibit-password" in 
/etc/ssh/sshd_config on the target hosts.



If you want all ssh(1) logins to require an SSH key, set 
PasswordAuthentication to "no" in /etc/ssh/sshd_config on the target hosts.



I own and recommend "SSH Mastery" by Michael W. Lucas:

https://mwl.io/nonfiction/tools#ssh


David

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

[Tom Browder]

On Fri, Jun 3, 2022 at 10:46  wrote:

> On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote:
> > I have been using ssh for logging in to my remote hosts for many years,
> but
> > I have NOT been using ssh-agent.
>
> I'm intentionally not addressing your specific questions.
>
> For me, your post is rather timely, because I'm digging into ssh and was
> trying to understand the different methods of authentication and trying to
> decide what was best for me.  (I have a SOHO with up to 5 nodes at time
> (right
> now only 3.)
>
> From some of my reading, ssh certificates seem to be highly recommended,
> although it has seemed difficult for me to get all the details I want.
>
> The best resource I've found so far is:


I remember seeing that in the past. Note when I started my
https://usafa-1965.org website in 2010 I plunged into creating ssl
certificates for my classmates to log in painlessly. But it was a pain for
me, although I built my CA with a hand-coded Perl set of programs which
helped immensely. There are now better CA solutions (open source ones,
too), but for my purposes I think the ssh-agent will be easier.

https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-
> and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc
> 
>
> One problem with that article is that it seems that there are about 3
> blanks
> in it where, for example, the text mentions something like ~"use this
> command"
> and then there is a big blank spot.  (I've tried viewing the page in 2 to
> 4
> different browsers, depending on how you count them -- some older versions
> of
> firefox, a fairly recent version of firefox, and an older version of
> konqueror).


I briefly looked at the article and didn't notice anything missing. Maybe
if you could take some screen shots in those areas we could help.

-Tom

How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

[rhkramer]

On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote:
> I have been using ssh for logging in to my remote hosts for many years, but
> I have NOT been using ssh-agent.

I'm intentionally not addressing your specific questions.

For me, your post is rather timely, because I'm digging into ssh and was 
trying to understand the different methods of authentication and trying to 
decide what was best for me.  (I have a SOHO with up to 5 nodes at time (right 
now only 3.)

From some of my reading, ssh certificates seem to be highly recommended, 
although it has seemed difficult for me to get all the details I want.

The best resource I've found so far is:

https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-
and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc

One problem with that article is that it seems that there are about 3 blanks 
in it where, for example, the text mentions something like ~"use this command" 
and then there is a big blank spot.  (I've tried viewing the page in 2 to 4 
different browsers, depending on how you count them -- some older versions of 
firefox, a fairly recent version of firefox, and an older version of konqueror).

I've looked for a way to contact the author but haven't found anything so far.

Some of the advantages of certificates are (iiuc):

   * maybe a simpler setup, after you understand how to do it

   * easier to manage the keys / authentication (specifically, if you need to 
revoke permissions for a user you can do it in one place

   * apparently the security can be somewhat better (maybe a result of the 
previous bullet, but I think some other things as well)

   * you can make the transition gradually -- you can keep the "old" public 
key authentication in place (and continue to use it when, where, and if 
needed) while you transition some server(s) and user(s) to certificates.

I thought I'd call your attention to this for your consideration -- perhaps 
with both of us investigating and asking questions as needed, we both might 
make quicker progress.

In any event, have a good day!

Re: ssh-agent: I want to start using on all my remote hosts

[Tom Browder]

On Fri, Jun 3, 2022 at 09:43 Tom Browder  wrote:

> I have been using ssh for logging in to my remote hosts for many years,
> but I have NOT been using ssh-agent.
>
...

And edit file /etc/ssh/ssh_config to change

# ForwardAgent no

to

ForwardAgent yes

Then reboot.

-Tom