Ssh Agent Config

30-04-2021 by



SSH keys are typically configured in an authorizedkeys file in.ssh subdirectory in the user's home directory. Typically a system administrator would first create a key using ssh-keygen and then install it as an authorized key on a server using the ssh-copy-id tool. See also the dedicated page on configuring authorized keys for OpenSSH. Welcome to my first official guide on Dev.to. Today I want to explain how you can setup SSH and Git o. Tagged with windows, ssh, git.

Using an ssh-agent, or how to type your ssh password once, safely.

If you work a lot on linux and use ssh often, you quicklyrealize that typing your password every time you connect to a remotehost gets annoying.

Not only that, it is not the best solution in terms of security either:

  • Every time you type a password, a snooper has an extra chance to see it.
  • Every host you ssh to with which you use your password, well, has to know your password. Or a hash of your password. In any case, you probably have typed your password on that host once or twice in your life (even if just for passwd, for example).
  • If you are victim of a Man In The Middle attack, your password may get stolen. Sure, you can verify the fingerprint of every host you connect to, and disable authentication without challenge and response in your ssh config. But what if there was a way you didn't have to do that?

This is where key authentication comes into play: instead of using a passwordto log in a remote host, you can use a pair of keys, and well, ssh-agent.

Using ssh keys

All you have to do is:

  1. generate a pair of keys with ssh-keygen. This will create two files: a public key (normally .pub), and a private key. The private key is normally kept encrypted on disk. After all, it's well, supposed to be private. ssh-keygen will ask you to insert a password. Note that this password will be used to decrypt this file from your local disk, and never sent to anyone. And again, as the name suggest, you should never ever disclose your private key.

  2. copy your public key into any system you need to have access to. You can use rsync, scp, type it manually, or well, use the tool provided with openssh: ssh-copy-id. Note that you could even publish your public key online: there is no (known) way to go from a public key to your private key and to get access to any of your systems. And if there was a way, well, public key encryption would be dead, and your bank account likely empty.

and ... done! That's it, really, just try it out:

So... what are the advantages of using keys? There are many:

  1. Your passphrase never leaves your local machine. Which generally makes it harder to steal.
  2. You don't have a password to remember for each different host. Or...
  3. ... you don't have the same password for all hosts you connect to (depending on your password management philosophies).
  4. If somebody steals your passphrase, there's not much he can do without your private key.
  5. If you fear somebody has seen your passphrase, you can change it easily. Once. And for all.
  6. If there is a 'man in the middle', he may be able to hijack your session. Once (and well, feast on your machine, but that's another story). If a 'man in the middle' got hold of your password instead, he could enjoy your machine later, more stealthy, for longer, and may be able to use your password on other machines.
  7. They just work. Transparently, most of the times. With git, rsync, scp, and all their friends.
  8. You can use an agent to make your life happier and easier.

And if you're wondering what an agent is, you can go to the next section.

Your agent friend

Ok. So you have read this much of the article, and still we have not solved theproblem of having to type your password every freaking time, have we?

That's where an agent comes in handy. Think of it as a safe box you have tostart in the background that holds your keys, ready to be used.

You start an ssh-agent by running something like:

in your shell. You can then feed it keys, with ssh-add like:

or, if your key is in the default location, you can just:

ssh-add will ask your passphrase, and store your private key into thessh-agent you started earlier. ssh, and all its friends (including git,rsync, scp...) will just magically use your agent friend when you try tossh somewhere. Convenient, isn't it?

Assuming you added all the keys you need, you can now ssh to any host,as many times as you like, without ever ever having to retype your password.

Not only that, but you can exploit agent forwarding to jump from one hostto another seamlessly.

Let me give you an example:

  • Let's say you have to connect to a server at your office.
  • Let's say this server is firewalled. In order to ssh there, you first need to ssh into another gateway. Sounds familiar, doesn't it? This means you end up doing:

On this second ssh, what happens? Well, if you type your password, yourcleartext password is visible to the gateway. Yes, it is sent encrypted,decrypted, and then through the console driver fed to the ssh process.If a keylogger was running, your password would be lost.

Worst: we are back to our original problem, we have to type our passwordmultiple times!

We could, of course, store our private key on the company gateway and runan agent there. But that would not be a good idea, would it? Remember:your private key never leaves your private computer, you don't wantto store it on a remote server.

So, here's a fancy feature of ssh and ssh-agent: agent forwarding.

On many linux systems, it is enabled by default: but if you pass -A tothe first ssh command (or the second, or the third, ...), ssh willensure that your agent running on your local machine is usable from theremote machine as well.

For example:

The second ssh here, run from the company gateway, will not ask youfor a password. Instead, it will detect the presence of a remote agent,and use your private key instead, and ask for no password.

Sounds dangerous? Well, there are some risks associated with it, whichwe'll discuss in another article. But here is the beauty of the agent:

Your private key never leaves your local computer. That's right.By design, the agent never ever discloses your private key, itnever ever hands it over to a remote ssh or similar. Instead,ssh is designed such as when an agent is detected, the informationthat needs to be encrypted or verified through the agent is forwardedto the agent. That's why it is called agent forwarding, andthat's why it is considered a safer option.

Configuring all of this on your machine

So, let's summarize the steps:

  1. Generate a set of keys, with ssh-keygen.
  2. Install your keys on remote servers, with ssh-copy-id.
  3. Start an ssh-agent to use on your machine, with eval ssh-agent.
  4. ssh-add your key, type your password once.
  5. Profit! You can now ssh to any host that has your public key without having to enter a password, and use ssh -A to forward your agent.

Easy, isn't it? Where people generally have problems is on how andwhere to start the ssh-agent, and when and how to start ssh-add.

The long running advice has been to start ssh-agent from your .bashrc,and run ssh-add similarly.

In today's world, most distributions (including Debian and derivatives),just start an ssh-agent when you first login. So, you really don't haveanything to do, except run ssh-add when you need your keys loaded,and be done with it.

Still many people have snippets to the extent of:

in their .bashrc, which basically says 'is there an ssh-agent already running? no? start one, and add my keys'.

This is still very annoying: for each console or each session you login into, youend up with a new ssh-agent. Worse: this agent will run forever with your privatekeys loaded! Even long after you logged out. Nothing and nobody will ever kill your agent.

So, your three lines of .bashrc snippet soon becomes 10 lines (to cache agents on disk),then it breaks the first time you use NFS or any other technology to share your homedirectory, and then... more lines to load only some keys, some magic in .bash_logout tokill your agent, and your 4 lines of simple .bashrc get out of control

Conclusion

I promised myself to talk about the pitfalls of using an agent and common approachesto solving the most common problems in a dedicated article. My suggestion for now?

  • Use the ssh-agent tied with your session, and managed by your distro, when one is available (just try ssh-add and see if it works!).

  • Use -t to ssh-add and ssh-agent, so your private key is kept in the agent for a limited amount of time. One hour? 5 miutes? you pick. But at the end of that time, your key is gone.

  • Use something like ssh-ident, to automatically maintain one or more agents, and load ssh keys on demand, so you don't even have to worry about ssh-add.

For full disclosure, I wrote ssh-ident. Surprisingly, that still doesn't preventme from liking it.

-->

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2015

Connect to your Git repos through SSH on macOS, Linux, or Windows to securely connect using HTTPS authentication. On Windows, we recommended the use of Git Credential Manager Core or Personal Access Tokens.

Ssh Agent Config Mac

Important

SSH URLs have changed, but old SSH URLs will continue to work. If you have already set up SSH, you should update your remote URLs to the new format:

  • Verify which remotes are using SSH by running git remote -v in your Git client.
  • Visit your repository on the web and select the Clone button in the upper right.
  • Select SSH and copy the new SSH URL.
  • In your Git client, run: git remote set-url <remote name, e.g. origin> <new SSH URL>. Alternatively, in Visual Studio, go to Repository Settings, and edit your remotes.

Note

As of Visual Studio 2017, SSH can be used to connect to Azure DevOps Git repos.

How SSH key authentication works

SSH public key authentication works with an asymmetric pair of generated encryption keys. The public key is shared with Azure DevOps and used to verify the initial ssh connection. The private key is kept safe and secure on your system.

Set up SSH key authentication

The following steps cover configuration of SSH key authentication on the following platforms:

  • Linux
  • macOS running at least Leopard (10.5)
  • Windows systems running Git for Windows

Configure SSH using the command line. bash is the common shell on Linux and macOS and the Git for Windows installation adds a shortcut to Git Bash in the Start menu.Other shell environments will work, but are not covered in this article.

Step 1: Create your SSH keys

Note

If you have already created SSH keys on your system, skip this step and go to configuring SSH keys.

The commands here will let you create new default SSH keys, overwriting existing default keys. Before continuing, check your~/.ssh folder (for example, /home/jamal/.ssh or C:Usersjamal.ssh) and look for the following files:

  • id_rsa
  • id_rsa.pub

If these files exist, then you have already created SSH keys. You can overwrite the keys with the following commands, or skip this step and go to configuring SSH keys to reuse these keys.

Create your SSH keys with the ssh-keygen command from the bash prompt. This command will create a 2048-bit RSA key for use with SSH. You can give a passphrasefor your private key when prompted—this passphrase provides another layer of security for your private key.If you give a passphrase, be sure to configure the SSH agent to cache your passphrase so you don't have to enter it every time you connect.

This command produces the two keys needed for SSH authentication: your private key ( id_rsa ) and the public key ( id_rsa.pub ). It is important to never share the contents of your private key. If the private key iscompromised, attackers can use it to trick servers into thinking the connection is coming from you.

Step 2: Add the public key to Azure DevOps Services/TFS

Associate the public key generated in the previous step with your user ID.

  1. Open your security settings by browsing to the web portal and selecting your avatar in the upper right of theuser interface. Select SSH public keys in the menu that appears.

  2. Select + New Key.

  3. Copy the contents of the public key (for example, id_rsa.pub) that you generated into the Public Key Data field.

    Important

    Avoid adding whitespace or new lines into the Key Data field, as they can cause Azure DevOps Services to use an invalid public key. When pasting in the key, a newline often is added at the end. Be sure to remove this newline if it occurs.

  4. Give the key a useful description (this description will be displayed on the SSH public keys page for your profile) so that you can remember it later. Select Save to store the public key.Once saved, you cannot change the key. You can delete the key or create a new entry for another key. There are no restrictions on how many keys you can add to your user profile. Also note that SSH keys stored in Azure DevOps expire after five years. If your key expires, you may upload a new key or the same one to continue accessing Azure DevOps via SSH.

  5. Test the connection by running the following command: ssh -T git@ssh.dev.azure.com.If everything is working correctly, you'll receive a response which says: remote: Shell access is not supported.If not, see the section on Questions and troubleshooting.

Step 2: Add the public key to Azure DevOps

Associate the public key generated in the previous step with your user ID.

Ssh config options

  1. Open your security settings by browsing to the web portal and selecting your avatar in the upper right of theuser interface. Select Security in the menu that appears.

  2. Select + New Key.

  3. Copy the contents of the public key (for example, id_rsa.pub) that you generated into the Public Key Data field.

    Important

    Avoid adding whitespace or new lines into the Key Data field, as they can cause Azure DevOps Services to use an invalid public key. When pasting in the key, a newline often is added at the end. Be sure to remove this newline if it occurs.

  4. Give the key a useful description (this description will be displayed on the SSH public keys page for your profile) so that you can remember it later. Select Save to store the public key. Once saved, you cannot change the key. You can delete the key or create a new entry for another key. There are no restrictions on how many keys you can add to your user profile.

  5. Test the connection by running the following command: ssh -T git@ssh.dev.azure.com.If everything is working correctly, you'll receive a response which says: remote: Shell access is not supported.If not, see the section on Questions and troubleshooting.

Step 3: Clone the Git repository with SSH

Note

To connect with SSH from an existing cloned repo, see updating your remotes to SSH.

  1. Copy the SSH clone URL from the web portal. In this example, the SSL clone URL is for a repo in an organization named fabrikam-fiber, as indicated by the first part of the URL after dev.azure.com.

    Note

    Project URLs have changed with the release of Azure DevOps Services and now have the format dev.azure.com/{your organization}/{your project}, but you can still use the existing visualstudio.com format. For more information, see Visual Studio Team Services is now Azure DevOps Services.

  2. Run git clone from the command prompt.

SSH may display the server's SSH fingerprint and ask you to verify it.You should verify that the displayed fingerprint matches one of the fingerprints in the SSH public keys page.

SSH displays this fingerprint when it connects to an unknown host to protect you from man-in-the-middle attacks.Once you accept the host's fingerprint, SSH will not prompt you again unless the fingerprint changes.

When you are asked if you want to continue connecting, type yes. Git will clone the repo and set up the origin remote to connect with SSH for future Git commands.

Tip

To prevent problems, Windows users should run a command to have Git reuse their SSH key passphrase.

Questions and troubleshooting

Q: After running git clone, I get the following error. What should I do?

A: Manually record the SSH key by running:ssh-keyscan -t rsa domain.com >> ~/.ssh/known_hosts

Q: How can I have Git remember the passphrase for my key on Windows?

A: Run the following command included in Git for Windows to start up the ssh-agent process in PowerShell or the Windows Command Prompt. ssh-agent will cacheyour passphrase so you don't have to provide it every time you connect to your repo.

If you're using the Bash shell (including Git Bash), start ssh-agent with:

Q: I use PuTTY as my SSH client and generated my keys with PuTTYgen. Can I use these keys with Azure DevOps Services?

Ssh Agent Configuration

A: Yes. Load the private key with PuTTYgen, go to Conversions menu and select Export OpenSSH key.Save the private key file and then follow the steps to set up non-default keys.Copy your public key directly from the PuTTYgen window and paste into the Key Data field in your security settings.

Q: How can I verify that the public key I uploaded is the same key as I have locally?

A: You can verify the fingerprint of the public key uploaded with the one displayed in your profile through the following ssh-keygen command run against your public key usingthe bash command line. You will need to change the path and the public key filename if you are not using the defaults.

You can then compare the MD5 signature to the one in your profile. This check is useful if you have connection problems or have concerns about incorrectlypasting in the public key into the Key Data field when adding the key to Azure DevOps Services.

Q: How can I start using SSH in a repository where I am currently using HTTPS?

A: You'll need to update the origin remote in Git to change over from a HTTPS to SSH URL. Once you have the SSH clone URL, run the following command:

You can now run any Git command that connects to origin.

Q: I'm using Git LFS with Azure DevOps Services and I get errors when pulling files tracked by Git LFS.

A: Azure DevOps Services currently doesn't support LFS over SSH. Use HTTPS to connect to repos with Git LFS tracked files.

Q: How can I use a non-default key location, i.e. not ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub?

A: To use keys created with ssh-keygen in a different place than the default, perform these two tasks:

  1. The keys must be in a folder that only you can read or edit. If the folder has wider permissions, SSH will not use the keys.
  2. You must let SSH know the location of the keys. You make SSH aware of keys through the ssh-add command, providing the full path to the private key.

On Windows, before running ssh-add, you will need to run the following command from included in Git for Windows:

This command runs in both PowerShell and the Command Prompt. If you are using Git Bash, the command you need to use is:

You can find ssh-add as part of the Git for Windows distribution and also run it in any shell environment on Windows.

On macOS and Linux you also must have ssh-agent running before running ssh-add, but the command environment on these platforms usuallytakes care of starting ssh-agent for you.

Q: I have multiple SSH keys. How do I use different SSH keys for different SSH servers or repos?

A: Generally, if you configure multiple keys for an SSH client and connect to an SSH server, the client can try the keys one at a time until the server accepts one.

However, this doesn't work with Azure DevOps for technical reasons related to the SSH protocol and how our Git SSH URLs are structured. Azure DevOps will blindly accept the first key that the client provides during authentication. If that key is invalid for the requested repo, the request will fail with the following error:

For Azure DevOps, you'll need to configure SSH to explicitly use a specific key file. One way to do this to edit your ~/.ssh/config file (for example, /home/jamal/.ssh or C:Usersjamal.ssh) as follows:

Q: How do I fix errors that mention 'no matching key exchange method found'?

A: Git for Windows 2.25.1 shipped with a new version of OpenSSH which removed some key exchange protocols by default.Specifically, diffie-hellman-group14-sha1 has been identified as problematic for some Azure DevOps Server and TFS customers.You can work around the problem by adding the following to your SSH configuration (~/.ssh/config):

Replace <your-azure-devops-host> with the hostname of your Azure DevOps or TFS server, like tfs.mycompany.com.

Q: What notifications may I receive about my SSH keys?

A: Whenever you register a new SSH Key with Azure DevOps Services, you will receive an email notification informing you that a new SSH key has been added to your account.

Q: What do I do if I believe that someone other than me is adding SSH keys on my account?

A: If you receive a notification of an SSH key being registered and you did not manually upload it to the service, your credentials may have been compromised.

The next step would be to investigate whether or not your password has been compromised. Changing your password is always a good first step to defend against this attack vector. If you’re an Azure Active Directory user, talk with your administrator to check if your account was used from an unknown source/location.

Q: What do I do if I'm still prompted for my password and GIT_SSH_COMMAND='ssh -v' git fetch shows no mutual signature algorithm?

A: Some Linux distributions, such as Fedora Linux, have crypto policies that require stronger SSH signature algorithms than Azure DevOps supports (as of January 2021). There's an open feature request to add this support.

You can work around the issue by adding the following code to your SSH configuration (~/.ssh/config):

Replace ssh.dev.azure.com with the correct host name if you use Azure DevOps Server.





Affinity Designer Help
Music Recognition Control Center

Comments are closed.