Jan van den Berg

j11g.com

Tag: SSH

Simple jumphost ssh-agent config
You can find many tutorials online on how to use ssh-agent or ssh-ident correctly.

This is a short and simple two line fix aimed at a specific use i.e. a single connection to a jumphost.

Add this to your .bashrc
```
alias jump='eval ssh-agent && ssh-add ~/.ssh/id_rsa && ssh -A -i "~/.ssh/id_rsa" jan@jumphost.domain.name'
```
So now when you type jumphost:
- An ssh-agent will start
- Relevant keys are added to the agent
- You ssh to the jumphost with agent forwarding (-A)
And from the jumphost you can ssh connect to anywhere because you forwarded your keys.

Possible drawbacks:
- The primary benefit is that with this method your ssh keys stay on your local machine (and not on e.g. the jumphost). But it also means you still have to enter your ssh passphrase for each session: in my case this is not a problem I usually need one session to my jumphost. If you set up lots of sessions, this may be a problem because you have to keep entering your passphrase (usually one of the reasons of running ssh-agent in the first place) and every session starts it’s own ssh-agent.
  If you do not use as ssh passphrase this is not an issue (though you really should use a passphrase).
- Your ssh-agent will run forever. So add this to ~/.bash_logout
```
pkill ssh-agent
```
Drawbacks:
- *Any* bash logout will kill your ssh-agent. Again: not a problem if you just use one session at a time.
This setup works for quick access from a let’s say a secondary machine to my jumphost, to quickly check some things. On my primary machine (for real work) I just use this.
17 Feb 2023
I don’t understand terminals, shells and SSH
Confession time: I don’t fully understand how terminals, shells and SSH really work (and my guess is you don’t either). And I don’t mean the cryptography behind SSH. I mean how SSH and the terminal — and the shell for that matter — interact with one another.

I recently realized that even though I’ve been daily remotely logging into Linux systems for all of my adult life (and type in the shell and Vim) I didn’t really grasp how these things actually work.

Of course I conceptually know what a (virtual) terminal is (entering input and displaying output) and what the shell is for (the interpreter). And SSH is the remote login protocol, right? (Or is SSH a pseudoterminal inside another pseudoterminal, who’s to say)?

The distinction between these three elements is a bit fuzzy and I do not have a clear concept of it in my head. The test being: could I draw it on a whiteboard? Or: could I explain it to a novice? The answer is probably: not really.

So I went on a bender and found these four (well-known) links that explain things like tty, rawmode, ptms/ptx, pseudoterminals and more.
- A Guide to the Terminal, Console, and Shell
  Historical background and good explanation of how the shell and terminal work.
- Terminals and pseudoterminals
  Useful visuals and explanation of pseudoterminals.
- What exactly is TTY?
  More on the TTY: historical background and flowcharts.
- The TTY demystified
  The previous link borrows heavily from this one.
- What happens when you open a terminal and enter ‘ls’
  Historical background and good visuals.
This post functions as a bookmark placeholder. I will add more links when I find them.

There’s lots of information here if you’re interested. And of course: you mostly don’t actually need to know any of these things to do your work — we are all forever standing on the shoulders of giants. But I *want* to understand these things. And I think I understand them a little bit better now. Maybe you will as well.
14 Jan 2023
Fix for when your SSH keys are not working on your Chromebook
If you cannot connect to a remote server from your Chromebook with SSH keys and you get this error:
```
Load key "/.ssh/identity/id_rsa": invalid format
```
Here is the tip: add an enter to your private key file!

Yes really!

I spent way too much time figuring this and only found the solution when I stumbled on the solution here.
30 Nov 2022
Using Windows OpenSSH Agent with Windows Terminal and Cygwin
I am back to running Windows Terminal + Cygwin, after a stint with MobaXterm. I blogged about it before.

Why:
- Windows Terminal is pretty good: it doesn’t get in your way, and it’s fast (*very* important).
- Cygwin gives me access to grep, awk, vim and much more.
In the end MobaXterm just had too many quirks. Specifically when changing screens — docking / undocking which I do a lot during the day. However, one thing I really did like about MobaXterm was the integrated SSH agent (MobAgent).

That part worked really well.

That was what kept me from switching back to Windows Terminal and Cygwin.

But I recently found out that Windows 10 comes with its own SSH Agent (?!). That was news to me.

So I now use the Windows SSH Agent. So, not Pageant or OmniSSHAgent or any other Windows SSH Agent or keychain, because these all have issues (I tried them).
Also running eval $(ssh-agent) for every new terminal window (that zombies when you close your shell) kind of defeats the purpose of having an SSH agent.

How?

First you need to tell Windows to start the OpenSSH Authentication Agent on boot:

PowerShell can tell you if the agent is running:

Looks good!

And now comes the tricky part. Using Cygwin AND using this ssh-agent i.e. adding and retrieving keys to and from the agent.

Of course you can add keys with ssh-add or by adding the -A parameter to the ssh command.

PS C:\Users\Jan van den Berg> ssh-add.exe .ssh\id_rsa

But you need to understand this next bit first.

When invoking ssh in Cygwin you invoke a different ssh client than the default Windows SSH client. One is the Cygwin ssh client, and the other one is the one that comes with Windows. I blogged about this before.

Spot the differences in this next image:

These are two different SSH clients

And here is the secret (that took me way too long to figure out, thanks ssh -v)

Only when invoking the latter (ssh.exe) you get access to the Windows OpenSSH Agent!

This is especially tricky when you want to specify identity files. Make sure you use the right paths, the Windows SSH client will look in other default paths. Something to consider.

My workflow now is as follows: I have defined a couple of bash aliases in my Cygwin .bashrc file so when I fire up Windows Terminal (fast) I can jump to a specified SSH host with one or two keypresses — all the while using the correct SSH keypair with a passphrase ~~I only have to enter once per Windows boot!~~ (edit: I assumed it would be per boot, but it seems the Windows SSH agent holds the keys forever, that may actually be too much of a good thing….).
```
alias ms='/cygdrive/c/Windows/System32/OpenSSH/ssh.exe -A -i 'C:\Users\Jan van den Berg\.ssh\mm-id_rsa' jan@myserver'
```
19 Sep 2022