Agent Forwarding and management of Keys

[mdella]

I'm using the OpenSSH agent forwarding function within SecureCRT 6.2.1 and for the most part it works fine. I am however finding a few things that I can't seem to find answers for.

1. Once a key is "on the ring" or in the agent, how to I remove it from the agent without exiting BOTH SecureCRT and SecureFX.

2. If I have a few keys on the ring, how can I change the order that they are checked against? I have a couple machines that I prefer the check in a certain order.

3. How can I either log or detect (as well and see) what keys are on the ring, when a request has come in (and how often), and which key?

4. How can I temporarly disable a key for a period of time then turn it back on without having to exit securecrt then reenter the program?

Marcos

[bgagnon]

Hi mdella,

Quote:

1. Once a key is "on the ring" or in the agent, how to I remove it from the agent without exiting BOTH SecureCRT and SecureFX.

Agent keys can be deleted using the "Manage Agent Keys..." option available that was explained in this post.

This can also be accomplished by "mapping" a key in the 'Terminal / Emulation / Mapped Keys' category of SecureCRT. The 'Function' would be set to 'SSH Function' and the 'SSH Function' would be set to 'SSH_FLUSH_AGENT'.

Quote:

2. If I have a few keys on the ring, how can I change the order that they are checked against? I have a couple machines that I prefer the check in a certain order.

What problem are you trying to solve by reordering the keys in the agent?

If you want to try a specific key, there is an entry in the "ssh2.ini" file that will allow you to try only the key specified in the 'SSH2' category of Session Options (or with the /I <identityfile> from the command-line).

You would need to change:

D:"Try All Agent Keys"=00000001

to

D:"Try All Agent Keys"=00000000

The "ssh2.ini" file is found in the 'Configuration folder', the location of which can be found in the 'General' category of SecureCRT's Global Options.

Otherwise the keys would need to be added and deleted as necessary to accomplish the desired order in the 'Manage Agent Keys' dialog.

Quote:

3. How can I either log or detect (as well and see) what keys are on the ring, when a request has come in (and how often), and which key?

This option is not currently available, though I will be happy to enter a feature request in your behalf for the ability to log statistics on key usage. Can you tell me more about your need for this feature?

Quote:

4. How can I temporarly disable a key for a period of time then turn it back on without having to exit securecrt then reenter the program?

This can only be accomplished by adding and deleting keys at this time. Again, I will be happy to enter a feature request on your behalf if you would like to tell me more about how you foresee the feature being implemented.

[mdella]

Already saw the post you referenced for finding the management of keys. However could not figure it out at all which prompted this email to begin with. Been going through menus and icons, etc. Nothing has popped up for me to figure this out.

So to answer a few of *your* question...

1. Why would I want to have differing order of keys...

I operate in an applogic environment (virtual environment with roots, managers, users, etc throughout). Depending on which aspect of the environment I try to log into to, I want it to try my "user" key first and log me in as a user on that machine. If that machine doesn't support user logins (these change all the time, its a virtual environment) then I want it to use my maintainer key. If the maintainer key doesn't work, then I need to use the root key for physical machine management.

If I do this in the wrong order, then I end up logging in as the wrong account and am given the wrong shell which could potentially be devistating if I do a physical command on a virtual machine or vice versa.

2. Why would I want to temporarily disable a key.

Look above. If I need to get out of a machine (virtual) and get back into it (maintainer) then I want to temporarly disable the user key so that it goes through the remainder of the list for that machine.

One thing that has been suggested is to create different login accounts on the session list, however as I mentioned, this is a virtual environment that constantly changes (well, once a week) so there are only a few entry points that virtually change into different OSs, pieces, etc. So I use a semi-complicated login piece to also manage what to do once on. Since its always changing, its a constant pain to keep changing names/ips of the entry point. Its hard enough to do this for one session account all the time much less three versions of the session account to handle three different entry methods.

3. Since I typically have 8-12 securecrt windows open at any one time with different environments, I want to know what keys I'm using at any one time in which environment. In the past, I never used the agent so this wasnt a problem, however in the "virtual" environments, agent key passing happens a LOT so I've started using this as I've gotten tired of entering my password over and over and over and...

Since I have so many open, the key ring never gets flushed when I'm done with one virtual environment and working on another. I then still have keys on my ring floating around for request which I don't want in some of these environments (since other customers have access to the localized ssh-agent as root within their containerized environments). This also leads to me wanting to know when my keys are asked for. If I'm doing something, no big deal. If I'm not doing something and the keys are requested, I'd like to know which sub-agent is pulling the keys.

I also have many X11 windows open as well through this environment so stopping securecrt to "flush" the agent list just really isn't possible. Some of these will be up and open for days or (if my machine doesn't crash) weeks.

As you can guess, the key ring can get loaded up with a LOT of keys for various environments so anything that can allow for realtime management of this list (add, delete, move position, how many requests, passes/fails, etc)

Does this help with your questions?

Marcos (beta tester since v2.0 :-)

[mdella]

Enabling/Disabling Keys temporarily

This can only be accomplished by adding and deleting keys at this time. Again, I will be happy to enter a feature request on your behalf if you would like to tell me more about how you foresee the feature being implemented.

[/QUOTE]

If you made a menu of the keys as mentioned in the last post (with add, delete, move order, status, usage, etc) you can add a button or check box with "enabled []". Additionally if you can add to the "list" the comment field of the key, that would be nice too (since unfortunately I have LOTS of keys, not by my choice, all with descriptors so I can remember which customer, grid, maintainer key, or license I'm using...)

Marcos

[mdella]

Quote:

Originally Posted by mdella

I'm using the OpenSSH agent forwarding function within SecureCRT 6.2.1 and for the most part it works fine. I am however finding a few things that I can't seem to find answers for.

1. Once a key is "on the ring" or in the agent, how to I remove it from the agent without exiting BOTH SecureCRT and SecureFX.

Ok, I finally found/figured this out (sort of esoteric on how you did that ;-)
One other request I'd have is have a minimize button on that menu, not JUST a close (so I can leave it on the screen or off to the side and still operate) so that I can monitor and maintain that list.

Actually a few more features on that list would make it very useful. Also if it were on a pull down menu other than on a shrink option that I prefer not to use.

The *challange* will be how to understand which session/window is using which keys... and how to display this in a mechanism other than what you put together....

Marcos

[bgagnon]

Hello mdella,

Thank you for the feedback.

I have added this thread to two feature requests in our development database. One is to add the ability to "Manage Agent Keys" to SecureCRT's GUI interface.

The other is asking for enhancements to agent key management. I have included the specific information you supplied regarding revising the 'Manage Agent Keys' dialog to include "Status" (enabled/disabled) and "Usage" columns in addition to the existing "Type", "Comment" and "Fingerprint" columns, as well as a mechanism for reordering the keys in the list.

Should a future release of SecureCRT include either feature, notification will be posted here.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Feature Request - Forum Thread #3656" in the subject line.

[Maureen]

The "Manage Agent Keys" functionality that was only available through the Activator has been added to the SecureCRT Tools menu in a pre-beta version of SecureCRT. If you would be interested in trying it, please send e-mail to me at Maureen.Jett@vandyke.com.

Maureen