Secure Shell (SSH) Guide

What is the Secure Shell (SSH)?

The Secure Shell (SSH) is a set of protocols for implementing secure sessions over a non-secure network (such as a standard TCP/IP network). In order to use SSH, you must set up SSH server software on the host. Security features include the following:

• Secure remote login
• Strong authentication of server and client
• Several user authentication methods
• Encrypted terminal sessions
• Secure file transfers

Secure Shell or SSH is a network protocol which allows files to be exchanged between two computers. Encryption provides privacy and the integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.

Sections of This Document

Document Title	Description
Introduction to SSH	Basic overview of SSH client and Server and how it can be used.
The Basic SSH Commands	A brief description of how to use the ssh command line application 'ssh'
Mapping to systems over SSH with 'File Browser'	A real simple way to copy data between two Linux Machines (or even Linux to Windows).
Command line SSH copying methods	Using SSH to it's fullest. Learn how to copy data between systems using the ssh command line options
Exporting remote displays with ssh and telnet	Learn the useful task on how to Export application displays back to your system.
Creating a personal SSH Configuration File	Create custom settings for your remote session.
Setting up the (SSHD) Server Services	When you want to connect to a machine, they need to be running an SSH Server. Here's how.
Passwordless SSH login using RSA Keys	Setting up private key passwords or none between ssh hosts
Configuring the ssh-agent tool	Setup the ssh-agent utility with GNOME

Introduction to SSH Client and Server

Introduction to SSH Client and Server

The OpenSSH suite replaces legacy 'rlogin' and 'telnet' with the ssh program, rcp with scp, and 'ftp' with sftp. Also included is sshd (the server side of the package), and the other utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server.

These tools provide the backbone for Linux interoperability and are used in some capacity in almost every major networking environment.

Tool / Service / Application	Description
ssh	OpenSSH SSH client (remote login program), ex. ssh host.ibm.com -l userid
sshd	The SSH server, must be running for other systems to access that host
scp	Secure copy (remote file copy program) ex. scp SOURCE .... DESTINATION ...
sftp	Interactive file transfer program, the replacement for ftp
ssh-add	Adds RSA or DSA identities to the authentication agent
ssh-agent	Hold private keys used for public key authentication (RSA, DSA)
ssh-keygen	utility that generates, manages and converts authentication keys
ssh-keyscan	utility for gathering the public ssh host keys of a number of hosts

Brief History

OpenSSH was developed by the OpenBSD Project in attempts to secure and provide integrity for system to system file transfers and remote sessions. OpenSSH is developed by two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. SSH is available for almost every flavor of Unix and can also be installed on Windows based systems as a replacement for native protocols.

Key milestones

• 1995, Tatu Ylönen,, a researcher at Helsinki University of Technology, Finland, designed the first version of the protocol (now called SSH-1) prompted by a password-sniffing attack at his university network.
• 1995, Ylönen founded SSH Communications Security to market and develop SSH. The original version of the SSH software used various pieces of free software, such as GNU libgmp, but later versions released by SSH Secure Communications evolved into increasingly proprietary software.
• 1996, a revised version of the protocol, SSH-2, was designed, incompatible with SSH-1. SSH-2 features both security and feature improvements over SSH-1 through Diffie-Hellman key exchange and strong integrity checking via message authentication codes.
• 1999, OpenBSD developers forked Björn's code and did extensive work on it, creating OpenSSH, which shipped with the 2.6 release of OpenBSD. From this version, a "portability" branch was formed to port OpenSSH to other operating systems.
• 2000, it is estimated that, at the end of 2000, there were 2,000,000 users of SSH.
• 2006, the SSH-2 protocol became a proposed Internet standard.

What can you do with SSH?

SSH is a great tool for getting around to various computers on your network be it a simple console connection to running graphical tools remotely. There are lots of things you can do with it besides simply connecting to another machine. Did you know you could use X11 forwarding to get graphical programs running on one machine to display on another, using it with compression, encryption and using SSH to teach you how to fly helicopters upside down! Okay, perhaps that last one was a stretch, it's not that flexible - let's see what we can do.

First, you'll need the SSH Service installed on all of your machines you wish to connect to. Most distros come with the client (ie. Open CLient, Redhat, SuSE, Ubuntu, etc.), but you'll need a server on the machine you're connecting too up and running.

• Information regarding dates sourced from Wikipedia

back to top

The basic SSH Commands

The basic SSH Commands

The orginal method for connecting to machines is via ssh at the command line. it's used in the same way as telnet, as it was designed to replace it. What is different is that it is much more powerful, easier to use, and secured with encryption.

In this example, I'll use two machines. My laptop, called home-pc and my desktop, called server-pc.

So, from home-pc I type:

ssh quickm@server-pc.some.domain

Replace 'server-pc.some.domain' with the system you're sshing too (i.e. host.site.ibm.com) and replace quickm with your username on that computer. You should see the following dialog below. Let's dig in to SSH a bit more.

$ ssh quickm@cad6-server.fishkill.ibm.com

The authenticity of host 'cad6-server.fishkill.ibm.com (9.62.xxx.xxx)' can't be established.
RSA key fingerprint is 4c:81:2c:bd:7c:e1:e1:5f:b1:xx:b9:53:xx:e0:fe:xx.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'cad6-server.fishkill.ibm.com' (RSA) to the list of known hosts.

quickm@cad6-server.fishkill.ibm.com's password: ********

Last login: Thu Nov 29 00:18:21 2007 from home-pc.fishkill.ibm.com
====> Welcome to the IBM Linux Client for e-business <====

quickm@cad6-server:/afs/fishkill.ibm.com/u/quickm
$

Let's say you want to run a graphical application from a remote machine (in this case server-pc) and display it on your local machine (home-pc). It's not hard at all, use the -X option!

ssh -X quickm@server-pc.some.domain

From there, if I want to launch an application from server-pc and see it on home-pc, I simply type the command to launch it. Some examples to try would be: gftp &, xclock, firefox, system-config-network, etc. (the & allows apps to run on their own so you can have the terminal prompt back). It may take a while for something to run if the connection is weaker.

• Example: Running the 'xclock' command with '&' option

  

You can also use SSH to run commands on remote machines and display output back to you. If you just wanted to see who's on a remote host, youcould enter the following command:

ssh quickm@host.some.domain who

You'll still be prompted for your password, but get the output of the who command as it is run on server-pc. The SSH session with then terminate.

back to top

Mapping to systems over SSH with 'File Browser'

Mapping to systems over SSH with 'File Browser'

This section describes one method (of many) for connecting to other systems using the File Browser. This method is similar to using the Windows OS drive Mapping feature as it can be used without using any other tools. This method is best for copying and pasting files. For file access from applications, it would be better to use something like GSA.

Mapping the Drive

Follow the steps below to connect to a remote system. Note, please have in mind the server address, your login ID, and password information.

1. In the menu system of your Desktop, locate the File Browser Icon
2. In File Browser, click 'File' > 'Connect to Server'
   (a dialog box will open)
3. Select either 'SSH' or 'Windows Share' (since we are talking only ssh use that)
   (ssh is being used in this example)
   fig.2
   
4. fill out the other needed information
   • Server: ibm.server.address (i.e. pokgsa.ibm.com, server4.fishkill.ibm.com,etc.)
   • Folder: path to share (if you don't know, use home or tmp)
   • Username: Your Login ID
5. Click Connect button
   (if asked, answer yes to the SSH key question)
6. Input your Password
7. Click the checkbox for save password for this session
8. Click 'Connect' button
   fig.3
   

A Browser Window will open with the Network Share, retrive files with drag and drop functionality.

Bookmarks and Links

Users may want to bookmark a page for later use if it is frequently used. Follow the steps below.

1. In File Browser, locate bookmarks, and choose 'add bookmark'
   fig.4
   
   
2. Looke for the Link that will also be made available on the Desktop:
   

(The next time you need to get to this system look for the bookmark in file browser or use the Desktop icon)

back to top

Command line SSH copying methods

Command line SSH copying methods

Copying files between Linux/Unix machines is convenient with the scp command. SCP replaces the legacy and insecure ftp command which many people have become accustomed to. What is different is that SCP is secure (encrypted 128-bit), and can be passed all of the information at once making it better for scripting as well.

The basics - a reference to the 'cp' command

The basic function is to type scp as if you were using the cp(copy) command on the system. In that fashion, you specify what you are copying, and to where. For example with cp you would do one of the two things mainly:

1. Copy from your current location, to some other location: (copying file.tar to some place else on your system)

   cp /home/file.tar  /some/other/location

2. Copy to some other location, from your current location: (copying file.tar from some place to /home)

   cp /some/other/location/file.tar  /home/

However, with this 'cp' (copy) example, it seems obvious and even a bit redundant to think of it this way but if you now apply it to scp, it becomes more obvious.

The basics - Using the SCP command

SCP is very similar but adds a little more for system to system copying. You can specify a userid and a hostname to achieve what is basically an elaborate 'cp' (copy) command. Taking the 'cp' example above, we will add the options to see how it works with scp:

1. Basic fuction of getting something to your local machine from another system:

   scp userID@machine_y:/path/to/copy/somefile  /tmp/

   (copy somefile from another system machine_y to your local machine's /tmp directory)

2. Basic fuction of getting something from your local machine to another system:

   scp /tmp/somefile   userID@machine_y:/path/to/copy

   (copy somefile from your system to another system (i.e. machine_y)

As you can see, with a little bit of tweaking, scp works brilliantly in conjunction with the established syntax.

SCP Examples

---

Probably the best way to see how scp works is to just see it in action. We have provided a few normal examples and have also included some more interesting uses.

• Example 1: Copy all jpgs from machine X's current directory to /home/quickm on machine Y

  scp *.jpg quickm@bali.fishkill.ibm.com:/home/quickm

• Example 2: Copying files from machine Y to back to machine X (while logged into machine X)

  scp  userID@machine_y:/path/to/copy  /some/location/on/x

• Example 3: Copy a file called 'global.profile' to a machine called kailinux

  scp global.profile fengkai@kailinux:/home/fengkai/bin

• Example 4: Recursive copy of a folder to another system

  scp -r  /folder quickm@bali.fishkill.ibm.com:/home/quickm

• Example 5: Recursive copy of a folder from another system to local machine (current directory)

  scp -r  quickm@bali.fishkill.ibm.com:/folder/ .

• Example 6: Sync a directory with RSYNC over the network (much better than using the -r option)

  rsync -vaz -e ssh root@9.x.x.x:/etc /support/backup

  (when done local machine will have duplicate of /etc from 9.x.x.x on your localhost host)
  

• Example 7: Sync a directory with RSYNC over the network (much better than using the -r option)

  rsync -vaz -e ssh /etc root@9.10.2.4:/support/backup

  (when done local machine will have duplicate of /etc from 9.x.x.x on your localhost host)
  
  

back to top

Global Client ID Password Management

Exporting remote displays with ssh and telnet

It is possible to use your computer at home or in the labs (or anywhere) to login to Other IBM machines and use graphical tools like xclock or to run applications directly from that system (like using Hummingbird Exceed in Windows. There are two methods discussed here SSH and Telnet respectively. One is simple requiring that SSH is installed only (most systems come with SSH already installed), and one command to accomplish this task. The other method involves knowing how to potentially alter firewall ports, requires setup before use, and changes to the X11 system. Also it is highly insecure.

The system that makes Exporting displays possible without 3rd party software is the X Windows System (X), it is the basis for all GUI application on Linux machines. One of the design ideas behind X is the idea of remote displays, in much the same way a standard telnet login works. From another computer you connect to your sever over a network login and do all kinds of neat command line things remotely. X is the method that allows you to login to the server and use neat graphical things remotely.

This document describes the basics to using this remote display function of X. It assumes that you have access to a fast network, a connection to IBM Intranet (or whatever network you are attempting to reach), and you have access ID's for that remote machine of course.

How does this really work?

On your computer your are running an "X server" that among other things watches a port for incoming connections. Also the X server sets up a view window where all the X application. When an X server gets a connection on its port there is a small amount of security that the client has to be checked on. Usually this check is to see if the clients host is on a list of allowed client hosts. Once the check and connection is established the X server reads commands from the X client and starts building a window in the root window for the client. The servers job is not only to display graphics it also sends mouse clicks and key presses to the connected clients, in this way you have all the functionality you need to make a working GUI.

The Simple method: SSH with -X Option

---

Let's say you want to run a graphical application from a remote machine (in this case server-pc) and display it on your local machine (home-pc). It's not hard at all, use the -X option!

ssh -X quickm@server-pc.some.domain

From there, if I want to launch an application from server-pc and see it on home-pc, I simply type the command to launch it. Some examples to try would be: gftp &, xclock, firefox, system-config-network, etc. (the & allows apps to run on their own so you can have the terminal prompt back). It may take a while for something to run if the connection is weaker.

• Example: Running the 'xclock' command with '&' option

  

You can also use SSH to run commands on remote machines and display output back to you. If you just wanted to see who's on a remote host, youcould enter the following command:

ssh quickm@host.some.domain who

You'll still be prompted for your password, but get the output of the who command as it is run on server-pc. The SSH session with then terminate.

The complex method: Telnet using 'export DISPLAY'

---

Some users have a need for telnet which can still be used but is very dangerous as it transmits passwords 'plain text' over the network (ftp as well). This means that a hacker can easily acquire that information and compromise your system or worse. With that being said, some users still need this kind of interaction between their Linux box and perhaps a Legacy AIX box. Note, it would be far better to urge your administrator to upgrade that system to allow SSH connections.

Using Telnet and export DISPLAY provides very little security and should never really be used, especially across subnets.

Setting up the Linux system to accept exported DISPLAYS.

1. Click on the computer menu system, and locate the Control Center
2. Locate the Login Screen and click on it.
   (note, if you can not find it, from the command line you can type system-config-login instead)
3. Click on the Security tab
4. Make sure the "Deny TCP Connection to XServer" (or something similar to that) is NOT checked.
   Example: GDM Login Utility for Gnome (yours may look a little different)
   
5. Close the utility.
6. To check that the config file has been set properly, you can type:

   $ less /etc/gdm/custom.conf | grep DisallowTCP
   DisallowTCP=false

   (should return 'false' - also the previous location for this file was /etc/X11/gdm/gdm.conf )

7. Restart X (logout and log back in again)

Using the insecure 'export DISPLAY' feature

1. Open a terminal session by right mouse clicking on the Desktop and selecting "Open Terminal"
   ( Or locate the Terminal icon from the computer menu system )
2. Allow the host(s) you wish to connect to access to your system with xhost
   Type xhost some.host.ibm.com or host + to allow any (not recommended).

   $ xhost +
   access control disabled, clients can connect from any host

3. For testing purposes, turn off the firewall with:

   su -c "/sbin/service iptables stop"

4. Take note of your local ip address (or use proceeding other method)
5. Now use the telnet to connect to some host:

   $ telnet XXX.fishkill.ibm.com
   
   Red Hat Enterprise Linux WS release 3 (Taroon Update 6)
   Kernel 2.4.21-37.ELsmp on an x86_64
   login: quickm
   AFS Password: *******
   $

6. Now after connecting to that other machine figure out your ip address with the following command:

   $ last | head -5                
   UserW    pts/0        wecm-9-67-XXX-XX Sat Dec 15 13:20   still logged in  
   quickm   pts/0        wecm-9-67-XXX-XX Sat Dec 15 12:20   still logged in  
   quickm   pts/0        wecm-9-67-XXX-XX Sat Dec 15 11:33 - 12:09  (00:35)   
   UserX    pts/0        wecm-9-67-XXX-XX Sat Dec 15 11:33 - 11:33  (00:00)   
   userY    pts/0        :0.0             Thu Dec 13 09:22 - 12:05  (02:42)   
   userZ    pts/0        :0.0             Thu Dec 13 09:22 - 12:05  (02:42)

   ( Look at the first login ID that is yours in this list. In this example 'quickm' is the ID of interest. Looking at the 3rd column it shows where I came from. It's easy to see that this user connected from a mobility client 'wecm' remote location and the IP Address is 9.67.XXX.XX (the X's are used to disguise the real ipaddress). The hostname is wecm-9-67-XXX-XX. )

7. Now EXPORT the display back to your system with :

   $ export DISPLAY=9.67.XXX.XX:0

8. Now try to run something like 'xclock &'
   (your results should match the SSH -X example above)
   

back to top

Creating a personal SSH Configuration File

Creating a personal SSH Configuration File

Now your ssh client can also look for options in a file in your home directory. This file probably doesn't exist yet, so let's make it and I'll show you a few things that it can do.

gedit ~/.ssh/config

Now you can put this in your config file to automatically do X11 forwarding when you log into a machine: ForwardX11 yes

Say you have two machines, one of which you don't want X11 forwarding for (perhaps it's not set up to do it). You can specify machines in your config file with the Host entry:

Host server-pc.some.domain ForwardX11 yes Host other-host.some.domain ForwardX11 no

This enalbes X11 forwarding for server-pc, but not other-host. There's a whole host of options you can put in your local config file. We're not going to look at all of them here, but you can find them using a Internet search or forums.

If you have several different machines with multiple user names, you can also specify the user for that machine in your config file.

Host server-pc.some.domain ForwardX11 yes User quickm Host other-host.some.domain ForwardX11 no User mikeq

Now I don't have to type ssh username@hostname each time I want to connect to these hosts. I simply type ssh some.domain and my config file worries about the user and X11 forwarding.

Keep Alive Option

Another great option to use is KeepAlive. This will tell the session to make sure your connection stays connected and to also listen for outtages. Should your network go down, it will automatically kill your session for you. This isn't so hot on a dial-up line though as it may cause excess online time. Your options with this are either yes or no, so add it like this: KeepAlive yes

You can also specify domains, or options for any (other) hosts. For example: 'Host *host.com' or just 'Host *' for all hosts.

Host *ibm.com ForwardX11 yes Host * KeepAlive yes

Setting Compression

If you have a slower connection then a good speed trick is to enable compression. You can do this by either typing ssh -C hostname or adding this to your config file: Compression yes

SSH has 9 compression levels, with 1 being the fastest and 9 being the slowest but most compressed. It will default to 6 but you can change this in your config file with this entry: Compressionlevel 8 ( Obviously change the '8' to whatever you want. )

In short, SSH has numerous options and capabilities that are easier to use and then even the legacy tools some have become used to. The learning curve is small and the potential is huge.

back to top

Setting up the (SSHD) Server Services

Setting up the (SSHD) Server Services

SSH is the client software, SSHD is the server service which runs on systems that you want to be able to be able to connect to. In other words, most systems will have ssh installed but do not have the ssh server running allowing users to connect to them. This document describes how to setup that SSHD service (very simple).

To check for the sshd (the ssh'd' is for daemon, meaning service or server), you can use the Services tool in control panel or from the command line (i.e. open a terminal session) and type the following commands (remember to press the enter key after each command):

$  su -
Password: *******

service sshd status
sshd (pid 2306) is running...

If you receive the message that "sshd is stopped", then you will need turn it on (i.e. set it to start at bootup) and start it. Open a terminal, and type the commands: chkconfig --level 35 sshd on and service sshd start (see example below)

chkconfig --level 35 sshd on

service sshd start

Starting sshd:                    [  OK  ]

Testing and troubleshooting

If the server services appear not to be installed and thus will not start, you can install the Open SSH packages with:

$ su -
# yum -y install openssh

(or install openssh from the add/remove applications tool)

To test the service you can try the following things:

• Check that the sshd service is listening

  # netstat -ntlp | grep sshd
  tcp   0   0 0.0.0.0:22    0.0.0.0:*    LISTEN      32458/sshd

(if it returns this 'LISTEN' comment, the service is running)

• Try testing the service from that machine

  $ ssh localhost -l quickm
  quickm@localhost's password: ******
  
  Last login: Sat Nov 10 19:50:42 2007
  ====> Welcome to the IBM Linux Client for e-business <====
  IBM's internal systems must only be used for conducting IBM's business or for
  purposes authorized by IBM management. ....
  ====> Text of this message is in /etc/motd <====
  $

( The command has me running ssh from the server machine to the server machine. Something that is normally useless but it's a good first test for connectivity. Replace 'quickm' with your user login id)

• Try testing the service from ANOTHER machine

  $ ssh 192.168.15.100
  ssh: connect to host 192.168.15.100 port 22: Connection refused

(You should have the same result as using localhost, if you receive a refused message, either your Linux Firewall is blocking ssh (doubtful) or more likely there is some other firewall in the way. Also, root connections are not allowed by default and will be denied.)

back to top

Passwordless SSH login using RSA Keys

Passwordless SSH login using RSA Keys

Users can create a secure trusted connection between two systems and even make it passwordless with very little extra effort. This document describes briefly how that can be done.

RSA key pair Generation V2

Use the following steps to generate an RSA key pair for version 2 of the SSH protocol. This is the default starting with OpenSSH 2.9.

1. To generate an RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:

   ssh-keygen -t rsa

   
   

2. Accept the default file location of ~/.ssh/id_rsa.
3. Enter a passphrase different from your account password and confirm it by entering it again.
   (not entering a password will create passwordless login)

   $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/quickm/.ssh/id_rsa): (accept default, press enter key) Enter passphrase (empty for no passphrase): (optionally you can leave this blank) Enter same passphrase again: Your identification has been saved in /home/quickm/.ssh/id_rsa. Your public key has been saved in /home/quickm/.ssh/id_rsa.pub. The key fingerprint is: a1:71:XX:xx:45:cx:ab:6x:94:xb:b0:68:aa:2x:1f:52 quickm@client The public key is written to /.ssh/id_rsa.pub. The private key is written to /.ssh/id_rsa. Never distribute your private key to anyone.

4. Change the permissions of the .ssh directory using the following command:

   chmod 755 ~/.ssh

5. Copy _{/.ssh/id_rsa.pub into the} /.ssh/authorized_keys FILE on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exists, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the other machine.
   Example of copying (overwriting authorized_keys):

   scp ~/.ssh/id_rsa.pub quickm@192.168.15.100:/home/quickm/.ssh/authorized_keys

   
   

6. Change the permissions of the authorized_keys folder on the remote system using the following command:

   chmod 744 ~/.ssh/authorized_keys

Using the New Connection Changes

If you take notice from the examples below, not much changes accept that the password is either private key or nothing depending on what your previous choice was. Use our other documents to review how to do these tasks below.

• Example 1: Make a connection with an ssh command line session

  [quickm@duvel .ssh]$ ssh 192.168.15.100 -l quickm
  Last login: Sat Dec 15 11:32:10 2007 from 192.168.15.12
  ====> Welcome to Evil 1  <====
  [quickm@evil1 ~]$

( In this example, we simply ran an ssh terminal session which automatically logged the user in )

• Example 2: Connect using the graphical File Browser
  

( In this example, using the Filebrowser bookmark to /home on the other system, the system connected without asking for a password.)

---

Source URL: from RHEL-5-manual

back to top

Configuring the 'ssh-agent' tool

Configuring the 'ssh-agent' tool

The ssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection. If you are using GNOME, the gnome-ssh-askpass package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME session.

Configuring ssh-agent with a GUI

To save your passphrase during your GNOME session, follow the following steps:

1. You will need to have the package gnome-ssh-askpass installed; you can use the command rpm -q openssh-askpass to determine if it is installed or not.

   $ rpm -q gnome-ssh-askpass
   package gnome-ssh-askpass is not installed
   $ su -c"yum -y install gnome-ssh-askpass"
   Password: ********

2. Locate the 'Sessions' tool from the control panel or Preferences section. Click on the Startup tab. Click Add and enter /usr/bin/ssh-add in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for ssh-add is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click Close to exit the program.
   
3. Log out and then log back into GNOME; in other words, restart X. After GNOME is started, a dialog box will appear prompting you for your passphrase(s). Enter the passphrase requested. If you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by ssh, scp, or sftp.

Configuring ssh-agent

This procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.

1. At a shell prompt, type the following command:

   exec /usr/bin/ssh-agent $SHELL

2. Then type the command:

   ssh-add

3. and enter your passphrase(s). If you have more than one key pair configured, you will be prompted for each one.
4. When you log out, your passphrase(s) will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window.