126 ask for a password or passphrase as long as password authentication is not needed as when youre using RSA user authentication, and as long a passphrase isnt used to protect the users private key. Although this method is less secure, its useful in scripts where a user might not be around to supply input. Some security is still maintained because only the user, as the owner of her identity file, can read the private key due to file permissions.

8.3.2.3 Useful ssh parameters for our purposes

Like sshd, ssh also has a configuration file, called etcssh_config. By default, everything in the file is commented out. In addition, there are a number of command-line parameters. Well look at a few of them here: - username : A useful feature of the SSH client is the ability to change the login name youre using when logging into another machine. Like rsh, it will normally use the name that youre logged in with on the system youre connecting from. You can override that behavior with this parameter. -c cipher : This parameter lets you change the encryption technique the client is using. As weve said, its IDEA by default. The types of ciphers you can set with this parameter are idea , blowfish , des , 3des , arcfour , and none . You can also change this with the Cipher parameter in the ssh_config file. -p port : This allows you to change the default port from 22 to something else, just as in sshd. The Port parameter in ssh_config also controls this. -o option : This allows you to enter a command that includes one of the ssh_config file options for which there might not be a separate parameter. For example, including the configuration file option BatchMode yes will keep the client from asking you for a password or passphrase, which is useful in scripts. -t: This parameter tells the client to force the server to allocate a pseudo-terminal, even if the client is being used to run a command remotely. This parameter is important to our VPN setup.

8.3.2.4 ssh-keygen

The ssh-keygen utility can be used by SSH users to generate their RSA userkey pairs on their client systems, or by an administrator to create a host key pair. Its run straight from the command line, and most users wont need to include any other parameters. It generates the HOME.sshidentity file for the private key, and the HOME.sshidentity.pub file for the 127 public key. Additionally, it asks for a passphrase, which is used to encrypt the private key with 3DES. This means that if someone happened to get a hold of your private key file, they would not be able to read the key unless they also knew your passphrase. 3DES is still considered safe from brute force attacks. -b bits : This sets the number of bits used in the key pair. Its 1024 bits by default, which is also recommended. -f file : This parameter can be used to create a different key file from the defaults.

8.3.2.5 ssh-agent and ssh-add

The ssh-agent command is executed by a user on his or her local machine, and is used in conjunction with RSA user authentication. The purpose of ssh-agent is to hold the private identity keys for a given user. The ssh-add program adds these identity keys to the agent. Running ssh-agent and ssh-add before executing ssh means that you wont have to enter a passphrase each time you want to execute the client. The passphrase is requested when you run ssh-add, which then decrypts the private key and stores it in memory, and youre never again asked for it while the agent is running. It can also be used to hold multiple identity keys to enable easy login to multiple machines, where different identities might be used. Why have different identities? One reason might be that security policy at work might dictate the need for a 1024-bit key, while at home or school you can get by with a 512-bit key. In this case you would want an identity for each security level. Another reason is that having multiple identities means that all systems you access wont be vulnerable if a single identity is compromised. When you have multiple identities, ssh will try each public key within memory until the server accepts one and sends a challenge response. ssh-agent can be given a command parameter. This command is usually a shell, or the command to start an X Window System environment. ssh-agent will execute this command, and all subsequent commands will be children of the agent. All of these children will have access to the private keys the agent stores, and the keys will be removed from memory once the initial command is exited. In addition, ssh-agent can be called from an eval statement within a shell script. Using this method, you do not need to provide a shell as a parameter. When ssh-add is invoked without parameters, it loads HOME.sshidentity. You can also specify other identity key files created with ssh-keygen by specifying the location and name of the file. For instance, you might have one private key for school, another for home, and another for work. In this case, you might issue a command like the following: ssh-agent SHELL ssh-add ~.sshhome ssh-add ~.sshwork ssh-add ~.sshschool