Automatic SSH access, with encrypted keys

by hobbitalastair

I spent an afternoon recently with the aim of ‘fixing’ my current SSH setup. Basically, what I have at the moment is keychain, which prompts for authentication after the first login. After that, it sits in the background, allowing me to have encrypted keys without having to enter my password multiple times.

This has its flaws; namely, it relies on me having logged in via getty, and prompts for a password, ontop of the password for login. As I have been contemplating investigating options for a graphical login manager, I’d like to swap to a PAM based authentication method – which, I believe, is used by all login methods. This means that ssh, getty, and GUI logins managers would all authenticate the keys!

Great, but what about allowing automatic services using SSH – such as backups – to be authenticated automatically?

Luckily, due to their very nature, they don’t need anything other than a user login. After all, no backups will need to be done if nothing has changed, right? Well, at least for the kind of backups I’m trying to do…

I believe that the trick is to use a SSH agent which is persistent across all user logins. This is accomplished by creating a systemd user service, which shares the environment variables required by ssh-agent, such as this one on Github. This essentially has the same functionality as keychain, except that it is systemd specific.

However, coupled with pam_exec, I believe it is possible to automatically unlock SSH keys from login, and add them to the sole running ssh-agent process – see here for an example script.

A project for a weekend, perhaps…

Something worthwhile recording here, in case I need it later, is the current scheme for easy key management across my computers.

  • Key 1: Computer dependent, all of which are added to a shared authorized keys file.
  • Key 2: Computer independent, used for Github and Bitbucket logins. It’s not hard for me to revoke it if required…
  • Key 3: Remote access?

It’s not particularly wise to have a shared key for Bitbucket and Github, but since I don’t believe I can change the online authorized keys except via a GUI, it’s probably the easier method? For not-so-secure computers, though, I’d want to generate a unique local key.

EDIT: I’d also like to move the .ssh directory to .config/ssh, if possible. But that’s possibly a project for another day..