Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

SSH RSA/DSA authentication via the GUI Network
As a UNIX system admin, I have about 40 servers that I need to access via SSH. I recently retired my good old first gen PowerBook g3 and bought myself a new pbook, which was my first experience with OS X (panther). I was thrilled to see that it came with OpenSSH out of the box, but I wasn't thrilled with the lack of SSH connection management, especially when you want to use RSA or DSA authentication, which will allow you to log in without being prompted for a password each time.

So, I stumbled accross a shareware utility called Telnet Launcher. This utility works with Terminal.app and allows you to create lists, or groups of lists, of telnet and ssh connections. Not bad - it even includes an auto-login feature that saves your password for you. Unfortunately, when Panther was released, it apparently caused some major problems with Telnet Launcher. The latest version of Telnet Launcher (2.6.10) seems to have worked out the panther bugs, except the auto-login function is still broken. This is a minor bummer, but what I really wanted was RSA authentication anyway.

I could use RSA auth just fine from Terminal.app, but I found that Telnet Launcher bypassed the necessary environment variables that are set up by ssh-agent. I searched around online, but couldn't find any discussion about this. My problem was how to get shell environment variables to be used by applications launched in the MacOS GUI. Then I found it - you can set environment variables in the file ~/.MacOSX/environment.plist, and after you re-login to Mac OS X, all applications you launch will have these variables set. Excellent! There is even a utility out there called RCEnvironment that makes editing this file a snap.

So, in a nutshell, here are the steps needed to get Telnet Launcher to work with RSA authentication, asuming you already have your keys set up -- please note however, the following instructions are based on the assumption that you are already familiar0 with SSH and its RSA authentication scheme. Explaining how RSA authentication works, or how to set up the keys and such is outside the scope of this document, and I would recomment reading the man pages for ssh-keygen, ssh-agent, and ssh-add. Here's how to get it working...

  1. Start ssh-agent with the -a flag in order to manually define the name of the socket file (normally, this name is dynamically generated based on the pid of the process).
  2. Use ssh-add to add your key to the agent.
  3. Using RCEnvironment, create the environment variable SSH_AUTH_SOCK. The value for the variable should be the name of the socket file you defined with ssh-agent -a.
  4. Log out and then log back into Mac OS X. Any Terminal.app session started by Telnet Launcher should now make use of the new environment variable. If everything is set up right, your RSA (or DSA) authentication should be working fine!
Note: if your Mac reboots, or ssh-agent otherwise stops running, you will have to restart ssh-agent, and re-add your key with ssh-add. However, if you manually set your socket file name as described above, you shouldn't have to edit your environment variables again with RCEnvironment.

This sure has made my life easier now that I have it working - I hope it can help out someone else too!

    •    
  • Currently 1.00 / 5
  You rated: 1 / 5 (2 votes cast)
 
[16,145 views]  

SSH RSA/DSA authentication via the GUI | 14 comments | Create New Account
Click here to return to the 'SSH RSA/DSA authentication via the GUI' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
SSH RSA/DSA authentication via the GUI
Authored by: m4rk on Dec 16, '03 11:27:58AM

Hm. RSA auth certainly works for me. On my Mac, I ran "ssh-keygen -t rsa" to generate a keypair (use a blank password when prompted). I then copied ~/.ssh/id_rsa.pub to the target machine and put it in ~/.ssh/authorized_keys. Make sure it's mode 600 on the target machine (chmod 600 ~/.ssh/authorized_keys).

You should then be able to SSH from the Mac to the target machine with no password.

Alternatively, do what I just described but choose a password during key generation. Copy and chmod the key as before, then run:

`eval ssh-agent`

(note the backticks, they're not apostrophes)

followed by:

ssh-add

which will prompt you for the password you chose when creating ~/.ssh/id_rsa.

You now have the SSH authentication agent running and should be able to SSH to the target machine without needing to enter the password.

"man ssh-agent" and "man ssh-add" for more information.



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: fletcherpenney on Dec 16, '03 11:46:53AM

Agreed - I have been using RSA/DSA authentication since 10.1 without any difficulties. You set it up just as you set up ssh on any other OS I have used....

One way of making it easier on OS X, however, is to use SSHAskPass. This program asks for your keychain password when you log in, and then it automatically enters your password for any ssh connection that uses an encrypted RSA/DSA key. ( Much better than using empty passwords in my opinion.)



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: GaelicWizard on Dec 16, '03 02:10:20PM

Is SSHAskPass an Aqua app, or for X11? I've got one for X11, but I'm dying for one for Aqua (and I do NOT want something like SSHKeychain, which is a hack in my opinion). Any suggestions?

---
Pell



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: guzzijason on Dec 19, '03 11:04:07AM

Hmmm.... I never meant to imply that RSA auth didn't work out of the box... I've been using it for a while. However, it *doesn't* work when you use a connection management tool like Telnet Launcher, as I mentioned in the original post. The point of my hint was to demonstrate how to get GUI apps like Telnet Launcher to use make use of the necessary env variables to get RSA to work.

Based on the other responses here, there is more than one way to skin this particular cat.

Sorry for the confusion.



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: g3cko on Dec 16, '03 01:29:57PM

I've been using this great little app called "SSHKeychain" to hold my keys in it.. works good.. does the named sock thingy ... all sessions (including those launched from telnetlauncher) work with it..
all around.. its good

Theo



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: kal on Dec 16, '03 03:42:09PM

Yep,this is a nifty little app, I highy recommend it, it even stores the passphrases for your private keys in the Apple Keychain, which means you keep it whenever you reboot or log out. I haven't typed a passphrase in ages!

Furthermore, its free. Free as in beer and free as in speech.

http://www.dreamflow.nl/projects/sshkeychain/



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: sjk on Dec 16, '03 10:33:53PM
I'm using the older (and Panther-compatible) SSH Agent for its tunnel support. It's slightly inconvenient to manually open the single tunnel file I use so I'll eventually get around to making it all work non-interactively.

[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: chrome on Dec 17, '03 02:32:36AM
I use SSH Agent.

It seems to be the best key manager out there. It stores everything in KeyChain. Don't much about with ssh-agent, its not worth the hassle.

[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: js on Dec 17, '03 04:43:02AM
I used to use SSHAgent, but I changed to SSHKeychain just because it does things better. You can find it at http://www.dreamflow.nl/projects/sshkeychain.

[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: kholburn on Dec 17, '03 05:55:53AM

I use SSHKeychain too. It stores the passwords in the Keychain, it does the sock thing, the ssh-agent thing and it's free.

What it does that nothing else does is it can turn off ssh-agent when the screen-saver comes on and back again when you log in again.



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: atr on Dec 17, '03 08:02:03AM

There's an APP called sshLogin that's an older freeware app. I found it searching Mac Update. When you login, it asks for your key once (says it stores it in the keychain but mine fails to work) So right before I login, I plugin my Lexar JumpDisk 128mb with my .ssh linked to it, ssh login asks for the password and then once validated (RSA pubkey) I now never have to type in a password again. Awesome since I have about 20 machines also to login to.



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: ybizeul on Dec 17, '03 11:55:18AM
Personaly, I use SSHLogin, which is ready for Panther.
To handle SSH Tunnels, I use my own tool, soon available in 2.0 version : SSH Tunnel Manager

[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: b17bmbr on Dec 18, '03 02:46:26PM

don't throw out that G3 pbook. i have yellowdog installed on a bondi blue 233mhz/160mb ram imac. runs like a champ. since your a *nix admin, run xfce, blackbox, or icewm. if you upgrade the ram to at least 128mb, you'll be fine. you'll also be able to access more networs, cough, cough, novell netware. (ipx_configure --auto-interface=on --auto_primary=on; ncpmount -S .....)

cheers.



[ Reply to This | # ]
SSH RSA/DSA authentication via the GUI
Authored by: david-bo on Apr 22, '04 07:44:47AM

Use Gentoo's Keychain and set up aliases (including tunnels) for servers yoo connect to. Can't be easier.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]