Working with the SSH key passphrases
In the Uploading SSH keys using the web console recipe, you learned how to create a new SSH key pair and upload it to an OpenShift account. The SSH key pair was created with an empty passphrase. The passphrase is a password to protect the private key. The empty passphrase avoids reentering a passphrase every time you use the key, but it might cause some security concerns. This recipe will walk you through the process of securing your SSH keys while avoiding having to re-enter the passphrase every time you use the key.
Getting ready
To step through this recipe, you will need the OpenSSH SSH connectivity tools installed on your machine.
To make sure that the OpenSSH client tool is installed, run the following command:
$ ssh -V OpenSSH_6.2p2, OpenSSL 1.0.1e-fips 11 Feb 2013
The output of the preceding command will depend on the operating system and OpenSSH version installed on your machine. If you get ssh: command not found, then the OpenSSH tools are not installed on your machine.
This recipe will use the WordPress application created in the Uploading SSH keys using the web console recipe.
How to do it…
Perform the following steps to use SSH key passphrases:
- Passphrases can be added during key creation time or to an existing key without regenerating a new key pair. As you have already created the key pair in the Uploading SSH keys using the web console recipe, we will reuse this key pair. You will use
ssh-keygento add a key pair to the existing key:$ ssh-keygen -p Enter file in which the key is (/home/vagrant/.ssh/id_rsa): Key has comment '/home/vagrant/.ssh/id_rsa' Enter new passphrase (empty for no passphrase): <Enter passphrase> Enter same passphrase again: <Enter passphrase again> Your identification has been saved with the new passphrase.
- Now, if you try to SSH into the application gear, you will be asked to enter the passphrase.
- Next, run the
ssh-agentcommand. Thessh-agentcommand, which is a part of the OpenSSH toolbelt, is another tool that stores your passphrase securely so that you do not have to re-enter the passphrase. You can run thessh-agentcommand by typing the following:$ ssh-agent $SHELL - To add the passphrase, run the
ssh-addutility:$ ssh-add Enter passphrase for /home/vagrant/.ssh/id_rsa: <Enter passphrase> Identity added: /home/vagrant/.ssh/id_rsa (/home/vagrant/.ssh/id_rsa)
- Connect to the application gear to see the SSH agent in action. You will notice that you are not asked to enter the passphrase:
$ ssh 52b823b34382ec52670003f6@blog-osbook.rhcloud.com ls app-deployments app-root git mysql php phpmyadmin
- Exit the shell to end the
ssh-agentsession. If you try to connect with the application gear now, you will be asked to enter the passphrase:$ ssh 52b823b34382ec52670003f6@blog-osbook.rhcloud.com ls Enter passphrase for key '/home/vagrant/.ssh/id_rsa':
How it works…
The ssh-agent utility stores the SSH keys in memory. It caches the private keys and responds to the authentication queries from SSH clients. The ssh-add utility is used to add and remove keys from ssh-agent. In step 1, you added the passphrase to your existing key. By default, it will use the default key, id_rsa, in the .ssh folder, but you can provide another SSH key file using the -i option. Now, SSH into the application gear and you will be asked to enter the passphrase:
$ ssh 52b823b34382ec52670003f6@blog-osbook.rhcloud.com ls Enter passphrase for key '/home/vagrant/.ssh/id_rsa':
Step 2 starts the agent by forking the existing shell. It sets some environment variables required by the SSH agent. Next, in step 3, you add the SSH key into the agent. It asks for the passphrase to decrypt the private key. After decryption, it adds the private key to the agent's cache.
Finally, in step 4, you connect to the application gear using the ssh client. This time you will not be asked to enter the passphrase as the agent already cached the private key.
You can terminate the agent or log out from the shell to end the session.
See also
- The Uploading SSH keys using the web console recipe