KBEC-00049 - Setting up SSH Keys in preparation to use a Proxy Agent

Article ID:360033194751
2 minute readKnowledge base

Summary

If your build process includes running commands on an agent machine that is not an ElectricCommander supported platform, you can use the proxy agent feature introduced in ElectricCommander v3.1. However, this feature relies on setting up SSH keys between the proxy agent and proxy target.

Solution

To set up SSH keys:

  1. Log in to the proxy agent machine as the "user" the Commander Agent is running as.

  2. Create the .ssh directory if it does not already exist. Make sure the home and .ssh directories are not group or world-writable.

     proxy-agent% chmod og-w ~
 proxy-agent% mkdir -p ~/.ssh
 proxy-agent% chmod og-w ~/.ssh
 proxy-agent% ssh proxy-target 'chmod og-w $HOME; mkdir -p $HOME/.ssh; chmod og-w $HOME/.ssh'
 Password:

  3. Generate a DSA public/private key-pair.

     proxy-agent% ssh-keygen -t dsa -f ~/.ssh/id_dsa -N ""

  4. Add the public key (id_dsa.pub) to the authorized_keys file on the target machine. Make sure the key is not group or world-writable.

    • If the user’s home directory is shared between the two machines, do this on the proxy agent machine:

        proxy-agent% cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
  proxy-agent% chmod og-w ~/.ssh/authorized_keys

    • If the user’s home directory is not shared, copy the public key file to the proxy target machine, then add the contents of the file to authorized_keys on the target machine.

        proxy-agent% scp ~/.ssh/id_dsa.pub proxy-target:id_dsa.pub
  proxy-agent% ssh proxy-target 'cat $HOME/id_dsa.pub >> $HOME/.ssh/authorized_keys; chmod og-w $HOME/.ssh/authorized_keys; rm $HOME/id_dsa.pub'
  Password:

  5. Now you should be able to ssh from the proxy agent machine to the proxy target machine without being prompted for a password. Verify:

     proxy-agent% ssh proxy-target pwd /home/myuser

  6. Congratulations! You are ready to define a Commander resource that proxies commands through a Linux or Windows Commander agent to a proxy target host.

What about a Windows proxy agent?

The example code above assumes the proxy agent is a Linux machine, but with a little modification the code works on a Windows proxy agent with appropriate SSH client utilities installed. For example, permissions probably do not matter on the proxy agent directory containing key files, and the commands to generate and transfer keys need to be modified to point to a Windows-format path.

If you use Cygwin SSH, the instructions provided above work without modification.

Remember, Commander uses its own (non-Cygwin) SSH client library. Thus, after validating key-based authentication works from the command-line, make sure you call setSSHKeyFiles in the proxy customization block of a proxy resource definition with the location of the public and private key-files generated above, in Windows path format.

What if I want to set up key-based authentication with a different user on the proxy target?

Some environments may use different user names on the proxy agent and proxy target. To set up key-based authentication:

  1. Modify the instructions above, replacing references to 'proxy-target' with 'user@proxy-target'.

  2. On the proxy resource, set the user in "Proxy Customizations" with "setSSHUser('user');"

Common Issues

The most common issues that prevents password-less logins are:

  1. The "permissions" set on the Home or SSH directories; the instructions above try to address this issue.

  2. The SSH server on the proxy target is configured not to allow key-based authentication.

Consult your SSH server documentation for more details.

Applies to

  • Product versions: ElectricCommander v3.1 and higher

  • OS versions: Linux and Windows