Secret Agent Man

SSH Alarm Clock

Because you are prompted for a password after the timeout you set expires, one of the first uses that came to mind for the ssh-add command was an alarm clock of sorts. Sometimes when you are deep in your work, you can forget to do things like eat lunch. What I like to do when I start work for the day is calculate how long until I'd like to break for lunch and set ssh-add to that. For instance, if I start work at 9am, and I want to break for lunch at noon, I would just type:

$ ssh-add -t 3h

Then when noon rolls around, I'll notice, because my next git push or pull, or my next SSH session, will prompt me for a password. Currently I take a ferry into work, and the ferry has a fixed time that it leaves. I know I need to leave the office around 5:30pm to catch that ferry, so once I get back from lunch, I calculate how many hours (or minutes if I want to be that fine-grained) until then and run a new ssh-add command. This alarm clock even has a sort of snooze feature where I can run another ssh-add command to add an extra nine minutes if I want to finish up something before I leave.

SSH Agent Forwarding

Of course, the traditional nice feature SSH agents give you is the ability to forward on your credentials to a server you have logged in to. When you are a sysadmin, you often run into an issue where you'd like to scp a file between servers, but if you have disabled password authentication for SSH (and you should), that could mean putting your private key on your servers, which you may not want to risk. With SSH agent forwarding, your SSH credentials from the private key on your local machine are forwarded to a machine you ssh in to, in RAM, and if you ssh to another machine from there, it will use those credentials.

There is a potential risk with agent forwarding. I think the ssh_config man page says it best:

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

All that said, to use agent forwarding, just add -A to any SSH command you normally would run:

$ ssh -A user@remotehost

Alternatively, you also can set the ForwardAgent setting in a local SSH config file, so you can control which hosts automatically get agent forwarding and which don't.

I love it when adding security can add convenience. While adding a passphrase to my SSH key potentially could have added a big inconvenience in the name of security, I think the benefit of an alarm clock, plus the general ability of ssh-agent to allow me to forward credentials to remote servers without having to risk compromising my private key far outweighs any inconveniences of managing a passphrase or SSH keys in general.


Kyle Rankin is SVP of Security and Infrastructure at Zero, the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu Server Book, and a columnist for Linux Journal. Follow him @kylerankin