#!/bin/blog

December 31, 2008

Using the SSH agent from daemon processes

Filed under: UNIX & Linux — Tags: , , , — martin @ 1:04 am

One of my more recent installations, the BackupPC server I wrote about earlier, needs full access as the user root to his clients in order to retrieve the backups. Here’s how I implemented authentication on this machine.

BackupPC runs as its own designated user, backuppc. All authentication procedures therefore happen in the context of this user.

The key component in ssh-agent operation is a Unix domain socket that the ssh client uses to communicate with the agent. The default naming scheme for this socket is /tmp/ssh-XXXXXXXXXX/agent.<ppid>. The name of the socket is stored in the environment variable SSH_AUTH_SOCK. The windowing environments on our local workstations usually run as child processes of ssh-agent. They inherit this environment variable from their parent process (the agent) and therefore the shells running inside our Xterms know how to communicate with it.

In the case of a background server using the agent, however, things are happening in parallel: On one hand, we have the daemon which is being started on bootup. On the other hand, we have the user which the daemon is running as, who needs to interactively add his SSH identity to the agent. Therefore, the concept of an automatically generated socket path is not applicable and it would be preferable to harmonize everything to a common path, such as ~/.ssh/agent.socket.

Fortunately, all components in the SSH authentication system allow for this kind of harmonization.

The option -a to the SSH agent allows us to set the path for the UNIX domain socket. This is what this small script, /usr/local/bin/ssh-agent-wrapper.sh does on my backup server:

#!/bin/bash
SOCKET=~/.ssh/agent.socket
ENV=~/.ssh/agent.env
ssh-agent -a $SOCKET > $ENV

When being started in stand-alone mode (without a child process that it should control), ssh-agent outputs some information that can be sourced from other scripts:

SSH_AUTH_SOCK=/var/lib/backuppc/.ssh/agent.socket; export SSH_AUTH_SOCK;
SSH_AGENT_PID=1234; export SSH_AGENT_PID;
echo Agent pid 1234;

This file may sourced from the daemon user’s ~/.bash_profile:

test -s .ssh/agent.env && . .ssh/agent.env

However, this creates a condition where we can’t bootstrap the whole process for the first time. So it might be somewhat cleaner to just set SSH_AUTH_SOCK to a fixed value:

export SSH_AUTH_SOCK=~/.ssh/agent.socket

Here’s the workflow for initializing the SSH agent for my backuppc user after bootup:

root@foo:~ # su - backuppc
backuppc@foo:~ $ ssh-agent-wrapper.sh
backuppc@foo:~ $ ssh-add

In the meantime, what is happening to the backuppc daemon?

In /etc/init.d/backuppc, I have added the following line somewhere near the top of the script:

export SSH_AUTH_SOCK=~backuppc/.ssh/agent.socket

This means that immediately after boot-up, the daemon will be unable to log on to other systems, as long as ssh-agent has not been initialized using ssh-agent-wrapper.sh. After starting ssh-agent and adding the identity, the daemon will be able to authenticate. This also means that tasks in the daemon that do not rely on SSH access (in the case of BackupPC, things like housekeeping and smbclient backups of “Windows” systems) will already be in full operation.

About these ads

5 Comments »

  1. Ah, wonderfull explanation. Many thanks for this. Best luck to you and your family and a wealthy 2009!

    Comment by Joern — December 31, 2008 @ 7:07 pm

  2. This line dont work for me in /etc/init.d/backupc

    “export SSH_AUTH_SOCK=~/.ssh/agent.socket”

    I had to use:
    “test -s /var/lib/backuppc/.ssh/agent.env && . /var/lib/backuppc/.ssh/agent.env”

    dont now why?
    thaks by the way

    Comment by Berto — August 6, 2010 @ 2:13 pm

    • If you have really used this in the init script, it did not work because the init script is run by root and in this context, the tilde resolves to /root. That’s why I wrote ~backuppc above. Anyway, your solution is practically identical, so there’s nothing wrong with it. :-)

      Comment by martin — August 9, 2010 @ 8:36 pm

      • ok, i understand…

        thanks for your article, anyway.

        bye

        Comment by Berto — August 12, 2010 @ 10:19 am

  3. [...] “Using the SSH agent from daemon processes” (#!/bin/blog; 2008.12.31) – http://binblog.info/2008/12/31/using-the-ssh-agent-from-daemon-processes/ [...]

    Pingback by SSH, OpenSSH « Eikonal Blog — February 3, 2011 @ 9:39 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: