Working with the SSH key passphrases

In the Uploading SSH keys using the web console recipe, you learned how to create a new SSH key pair and upload it to an OpenShift account. The SSH key pair was created with an empty passphrase. The passphrase is a password to protect the private key. The empty passphrase avoids reentering a passphrase every time you use the key, but it might cause some security concerns. This recipe will walk you through the process of securing your SSH keys while avoiding having to re-enter the passphrase every time you use the key.

Getting ready

To step through this recipe, you will need the OpenSSH SSH connectivity tools installed on your machine.

To make sure that the OpenSSH client tool is installed, run the following command:

$ ssh -V
OpenSSH_6.2p2, OpenSSL 1.0.1e-fips 11 Feb 2013

The output of the preceding command will depend on the operating system and OpenSSH version installed on your machine. If you get ssh: command not found, then the OpenSSH tools are not installed on your machine.

This recipe will use the WordPress application created in the Uploading SSH keys using the web console recipe.

How to do it…

Perform the following steps to use SSH key passphrases:

1. Passphrases can be added during key creation time or to an existing key without regenerating a new key pair. As you have already created the key pair in the Uploading SSH keys using the web console recipe, we will reuse this key pair. You will use ssh-keygen to add a key pair to the existing key:

   $ ssh-keygen -p
   Enter file in which the key is (/home/vagrant/.ssh/id_rsa):
   Key has comment '/home/vagrant/.ssh/id_rsa'
   Enter new passphrase (empty for no passphrase): <Enter passphrase>
   Enter same passphrase again: <Enter passphrase again>
   Your identification has been saved with the new passphrase.
   

2. Now, if you try to SSH into the application gear, you will be asked to enter the passphrase.
3. Next, run the ssh-agent command. The ssh-agent command, which is a part of the OpenSSH toolbelt, is another tool that stores your passphrase securely so that you do not have to re-enter the passphrase. You can run the ssh-agent command by typing the following:

   $ ssh-agent $SHELL
   

4. To add the passphrase, run the ssh-add utility:

   $ ssh-add
   Enter passphrase for /home/vagrant/.ssh/id_rsa: <Enter passphrase>
   Identity added: /home/vagrant/.ssh/id_rsa (/home/vagrant/.ssh/id_rsa)
   

5. Connect to the application gear to see the SSH agent in action. You will notice that you are not asked to enter the passphrase:

   $ ssh 52b823b34382ec52670003f6@blog-osbook.rhcloud.com ls
   app-deployments
   app-root
   git
   mysql
   php
   phpmyadmin
   

6. Exit the shell to end the ssh-agent session. If you try to connect with the application gear now, you will be asked to enter the passphrase:

   $ ssh 52b823b34382ec52670003f6@blog-osbook.rhcloud.com ls
   Enter passphrase for key '/home/vagrant/.ssh/id_rsa':
   

How it works…

The ssh-agent utility stores the SSH keys in memory. It caches the private keys and responds to the authentication queries from SSH clients. The ssh-add utility is used to add and remove keys from ssh-agent. In step 1, you added the passphrase to your existing key. By default, it will use the default key, id_rsa, in the .ssh folder, but you can provide another SSH key file using the -i option. Now, SSH into the application gear and you will be asked to enter the passphrase:

$ ssh 52b823b34382ec52670003f6@blog-osbook.rhcloud.com ls
Enter passphrase for key '/home/vagrant/.ssh/id_rsa':

Step 2 starts the agent by forking the existing shell. It sets some environment variables required by the SSH agent. Next, in step 3, you add the SSH key into the agent. It asks for the passphrase to decrypt the private key. After decryption, it adds the private key to the agent's cache.

Finally, in step 4, you connect to the application gear using the ssh client. This time you will not be asked to enter the passphrase as the agent already cached the private key.

You can terminate the agent or log out from the shell to end the session.

See also

• The Uploading SSH keys using the web console recipe