I have a server which I have to access frequently via ssh, because I compute on it. Now, the computing center explicitly forbids SSH-keys because they are "insecure". They feel that typing my password, on a keyboard, everytime, possible in front of other humans, is a much safer way to login.
Now; I cannot change their minds (I tried).
Is there a way to at least temporarily store SSH passwords, the way GIT can store passwords in a cache for some defined time?
Answer
Connection reuse
SSHv2 allows the same authenticated connection to establish multiple 'channels' – interactive shell, batch command, SFTP, along with the secondary ones such as agent-forwarding or TCP-forwarding. Your server probably supports connection multiplexing by default. (If your admins complain, it's not caching your password anywhere – it's caching the whole connection.)
With OpenSSH you have ControlMaster
and ControlPath
options (-M and -S) to make use of this:
Start a 'master' SSH connection using
-M
. (Since you don't have a ControlPath in your config yet, you need to specify it in command line using-S
. It needs to live long, so I add the-fN
options to drop to background; they're technically optional otherwise.)$ ssh foo@bar.example.com -fNMS ~/.ssh/bar.socket
foo@bar.example.com's password:You're back to the local shell.
Start a new connection through the master:
$ ssh foo@bar.example.com -S ~/.ssh/bar.socket
You're in.
To make this useful for Git/rsync/SFTP, you need to set up
ControlPath
in your configuration, because you won't be able to specify-S
all the time:Host *
ControlPath ~/.ssh/S.%r@%h:%p
You can automate this – recent OpenSSH versions also have ControlPersist
which automatically establishes a master connection in background if there isn't one yet. This allows you to skip step 1 and just use ssh as you normally would.
Configuration in
~/.ssh/config
:Host *
ControlPath ~/.ssh/S.%r@%h:%p
ControlMaster auto
ControlPersist 15mFirst connection asks for password:
$ ssh foo@bar.example.com
foo@bar.example.com's password:
[foo@bar:~]$ exitThe second doesn't:
$ ssh foo@bar.example.com
[foo@bar:~]$ yay
To control the multiplex master (stop it or configure TCP forwardings), use the -O
option.
A similar method is supported by recent PuTTY versions.
No comments:
Post a Comment