Reputation: 1836
What is the difference between ssh-add and ssh-agent?
I'm following the ssh github tutorial, and I'm confused about the difference between ssh-add and ssh-agent. The tutorial seems to imply that I will need to enter a password every time I want to use my ssh key, and to stop that, I need to give the key somehow to the ssh agent. However, I am not prompted to enter a password until I run the command ssh-add, and according to the man page
ssh-add adds RSA or DSA identities to the authentication agent, ssh-agent(1).
If the point of an agent is to not have to use a password, why is the agent asking me to create a password?
Here's the code I'm running and my understanding of ssh-add:
ssh-keygen -t rsa -C "[email protected]"
# Creates a new ssh key, using the provided email as a label
# Generating public/private rsa key pair. Public key is like a padlock, private key is like a padlock key.
# Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
#This is like taking the padlock and they key together and sticking them in a box.
#-------------------------------
ssh-add id_rsa
#ssh-add is like sticking your key in a safe. Instead of putting your keys on a hook in your house, where anyone can pick it up, you put your key in a safe protected by a password.
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
#The safe now has a password.
What is the relationship between ssh-add and ssh-agent? Am I right in assuming the following:
that doing an SSH keygen without an add is sort of like leaving your keys out in your apartment, where anyone you let into your apartment can pick them up, make a copy, and get to all of your stuff?
Doing an SSH keygen with an add is like sticking your keys in a safe with a combination, so that even if you let somebody into your apartment, they still can't get to all of your keys?
That ssh-add is an action taken by a program called ssh-agent?
Upvotes: 14
Views: 10215
Answers (1)
Reputation: 3375
Suppose you have several remote Linux machines to manage.
First, you setup ssh login by creating a public-private key pair using ssh-keygen -t rsa on your local machine. Let's also suppose that you don't set a passphrase when creating your keys.
Next, you copy your public key to all the remote machines you'd like to login to by running ssh-copy-id -i ~/.ssh/id_rsa.pub user@somehost. Now, with your private key, you will be able to login to all the machines where you copied your public key.
Since you didn't create a passphrase, anyone with your private key can login to all the machines where your public key has been added. Suppose you give access to your local machine to some of your friends and one of them is evil-minded. To prevent them from doing something malicious on the remote machines, you set a passphrase for your private key. Now, whenever you login using your key, you will be prompted for the passphrase and so only you (who knows the passphrase) can login.
But it becomes cumbersome to type the passphrase whenever you want to login to other machines. So you can give your passphrase to ssh-agent once and it will use it whenever required. You use ssh-add to give your keys to ssh-agent. You can always check what all keys your ssh-agent is managing by issuing ssh-add -l.
Upvotes: 33
Related Questions
- ssh-agent command doesn't create env variables as stated in a man page on Ubuntu?
- ssh-agent doesn't work however eval+ssh-add does, why?
- How to use ssh-add to remove identities (pem files) from the agent
- ssh-add "Error connecting to agent: Connection refused"
- adding private key to ssh agent
- Several commands in the ssh-agent subprocess
- How to run ssh-agent and ssh-add through an SH script?
- ssh-agent ssh-add ok in user not in sudo
- Please explain Linux bash exec and ssh-agent behavior
- SSH-add is not persistent event though ssh-agent is started