/ DevOps

DevOps Tools - SSH


SSH is a protocol allowing secure remote login to a computer on a network using public-key cryptography. If you are a developer on Unix-like operating systems, I'm sure you are very familiar with it. Normally, SSH client programs run for the duration of the remote login session and are configured to look for the user's private key in user's home directory ~/.ssh/id_rsa.


However, there will be more and more login information need to remember. We can't just use the default key passphrase to log in. Therefore, a configuration form will be including here.

On the Mac OSX system, when you want to have multiple configurations for different login, you need to create ~/.ssh/config, inside this config file we can list all login information. Let's see one sample.

Host                31mins.com
Hostname            .....compute.amazonaws.com 
User                ec2-user
Port                42000
IdentityFile        ~/.ssh/aws_31mins_key.pem
ForwardAgent        yes

This configuration is described the Host for 31mins.com, with Hostname (Here the hostname can also be IP address). IdentifyFile is for your SSH private key, and of course, the public key stored at the server side. This key file came from AWS, if you own some private Linux machine you can use $ssh-keygen -t RSA to generate a key pair, it will be located at ~/.ssh with id_rsa & id_rsa.pub. One more step, $chmod 400 ~/.ssh/aws_31mins_key.pem. Make sure the private key in the correct mode. Then you can just use $ssh 31mins.com to login to the remote server.


The sample above has another property named ForwareAgent. From the security point of view, typing the passphrase can be tedious, many users would prefer to enter it just once per local login session. The most secure place to store the unencrypted key is in the program memory. (Also we don't want to type the password every time, it's complicated). Therefore, users run a program called ssh-agent that runs the duration of a local login session, stores unencrypted keys in memory, and communicates with SSH clients using a Unix domain socket.

Let's see how it working. e.g. I have a repository which is using SSH key as login information. And run one Vagrant machine on my EC2 instance. And inside this vagrant machine, also need have the access to this repository. Of course, we can store SSH key to the vagrant machine. ssh-agent will be a good way to do it. On OS X, ssh-agent has been officially integrated since Leopard (Version 10.5). You can use $ssh-add -K to store passphrases in your keychain. Also you can special the key file name, e.g. $ssh-add ~/.ssh/aws_31mins_key.pem. $ssh-add -L can list public key parameters of all identities. Please check ssh-agent --help for more details.

Then when using login to the server, you can also run $ssh-add -L to see which key identifies were forward. After that, you can log in your vagrant machine via vagrant ssh to the forward these ssh key. Then you can use git inside the vagrant machine.

How to set ssh-agent in Vagrant?

Your vagrant machine setting also needs to set Forward to yes. Otherwise, the forward ssh key will only in the EC2 server. You can check by vagrant ssh-config to see the configuration for your vagrant machine.

Host default
  User vagrant
  Port 2200
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile <some path>/.vagrant/machines/default/virtualbox/private_key
  IdentitiesOnly yes
  LogLevel FATAL
  ForwardAgent yes

If the ForwareAgent is not set, please open your VagrantFile to add one line config.ssh.forward_agent = true and reload your vagrant machine.