Flat Earth Catalogue

2017-11-27

Hard-won knowledge for convenient SSH
So I can't ssh straight into my department anymore. I have to go through a jump server the college operates, so they can 2-factor authenticate me. Annnd then I have to go through the department's gateway, since the machines inside don't have domain names.

Here's how I've made that less a pain in the butt. It requires ~/.ssh/config, ssh-agent (called in ~/.profile), ssh-add, one invocation of ssh-keygen, and an invocation or two of ssh-copy-id.

1. Set up the config file. Give each host a handy short name, specify the hostname if it has one, give it the User parameter if your username there is different. This way you can just say "ssh shortname" And give a ProxyCommand parameter for anything that has to be proxied through another machine: ProxyCommand ssh -A -W %h:%p

2. To your .profile add: eval `ssh-agent -s` # or -c if you run a C shell or similar. Also, to start the agent for your current login, issue that very eval command. The agent remembers identities you have and uses them for authentication.

3. If you haven't already (check .ssh/ for a .pub file containing your public key), make a keypair with ssh-keygen. This keypair will prove to the hosts that you're you.

4. ssh-add in order to give that identity to the agent. It will hold it for some configurable length of time. You'll need to type the passphrase to unlock the identity if that lifetime expires.

5. ssh-copy-id # for each host you want passwordless login to. The -A switch in the ProxyCommand tells the proxy to forward authentication requests from said host back towards you.

So now I type "ssh my-lab-group-server" with great satisfaction. The config file takes care of imposing the right username and proxying my way in, the authentication forwarding and my ssh-agent prevent password prompts on department machines, it almost entirely Just Works.

The one thing I'm missing is that I can't do passwordless login to the original college jump server. They only allow that if your second factor is Duo Push on a smartphone, which I don't do. So I do have to type a password there, for now. But once I'm past that, all the department machines know and respect my keypair, so as long as the agent has it loaded I face no further rigmarole.

OK, the one other thing is I have to do this from within my crouton chroot, since the ChromeOS CLI facilities are ... let's say deficient. But I'm starting to just have crouton open all the time anyway, for the same reason.
23:06

Powered by Blogger

 

(K) 2002-present. All rights reversed, except as noted.

Hard-won technical knowledge, old rants, and broken links from 10 years ago. I should not have to explain this in the 21st century, but no, I do not actually believe the world is flat.

Past
current