Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-24-2009, 03:46 PM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Agent Forwarding and management of Keys

I'm using the OpenSSH agent forwarding function within SecureCRT 6.2.1 and for the most part it works fine. I am however finding a few things that I can't seem to find answers for.

1. Once a key is "on the ring" or in the agent, how to I remove it from the agent without exiting BOTH SecureCRT and SecureFX.

2. If I have a few keys on the ring, how can I change the order that they are checked against? I have a couple machines that I prefer the check in a certain order.

3. How can I either log or detect (as well and see) what keys are on the ring, when a request has come in (and how often), and which key?

4. How can I temporarly disable a key for a period of time then turn it back on without having to exit securecrt then reenter the program?

Marcos
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote
  #2  
Old 06-24-2009, 05:28 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hi mdella,

Quote:
1. Once a key is "on the ring" or in the agent, how to I remove it from the agent without exiting BOTH SecureCRT and SecureFX.
Agent keys can be deleted using the "Manage Agent Keys..." option available that was explained in this post.

This can also be accomplished by "mapping" a key in the 'Terminal / Emulation / Mapped Keys' category of SecureCRT. The 'Function' would be set to 'SSH Function' and the 'SSH Function' would be set to 'SSH_FLUSH_AGENT'.
Quote:
2. If I have a few keys on the ring, how can I change the order that they are checked against? I have a couple machines that I prefer the check in a certain order.
What problem are you trying to solve by reordering the keys in the agent?

If you want to try a specific key, there is an entry in the "ssh2.ini" file that will allow you to try only the key specified in the 'SSH2' category of Session Options (or with the /I <identityfile> from the command-line).

You would need to change:
D:"Try All Agent Keys"=00000001
to
D:"Try All Agent Keys"=00000000
The "ssh2.ini" file is found in the 'Configuration folder', the location of which can be found in the 'General' category of SecureCRT's Global Options.

Otherwise the keys would need to be added and deleted as necessary to accomplish the desired order in the 'Manage Agent Keys' dialog.
Quote:
3. How can I either log or detect (as well and see) what keys are on the ring, when a request has come in (and how often), and which key?
This option is not currently available, though I will be happy to enter a feature request in your behalf for the ability to log statistics on key usage. Can you tell me more about your need for this feature?
Quote:
4. How can I temporarly disable a key for a period of time then turn it back on without having to exit securecrt then reenter the program?
This can only be accomplished by adding and deleting keys at this time. Again, I will be happy to enter a feature request on your behalf if you would like to tell me more about how you foresee the feature being implemented.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730

Last edited by bgagnon; 06-24-2009 at 05:36 PM.
Reply With Quote
  #3  
Old 06-25-2009, 10:34 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Already saw the post you referenced for finding the management of keys. However could not figure it out at all which prompted this email to begin with. Been going through menus and icons, etc. Nothing has popped up for me to figure this out.

So to answer a few of *your* question...

1. Why would I want to have differing order of keys...

I operate in an applogic environment (virtual environment with roots, managers, users, etc throughout). Depending on which aspect of the environment I try to log into to, I want it to try my "user" key first and log me in as a user on that machine. If that machine doesn't support user logins (these change all the time, its a virtual environment) then I want it to use my maintainer key. If the maintainer key doesn't work, then I need to use the root key for physical machine management.

If I do this in the wrong order, then I end up logging in as the wrong account and am given the wrong shell which could potentially be devistating if I do a physical command on a virtual machine or vice versa.

2. Why would I want to temporarily disable a key.

Look above. If I need to get out of a machine (virtual) and get back into it (maintainer) then I want to temporarly disable the user key so that it goes through the remainder of the list for that machine.

One thing that has been suggested is to create different login accounts on the session list, however as I mentioned, this is a virtual environment that constantly changes (well, once a week) so there are only a few entry points that virtually change into different OSs, pieces, etc. So I use a semi-complicated login piece to also manage what to do once on. Since its always changing, its a constant pain to keep changing names/ips of the entry point. Its hard enough to do this for one session account all the time much less three versions of the session account to handle three different entry methods.

3. Since I typically have 8-12 securecrt windows open at any one time with different environments, I want to know what keys I'm using at any one time in which environment. In the past, I never used the agent so this wasnt a problem, however in the "virtual" environments, agent key passing happens a LOT so I've started using this as I've gotten tired of entering my password over and over and over and...

Since I have so many open, the key ring never gets flushed when I'm done with one virtual environment and working on another. I then still have keys on my ring floating around for request which I don't want in some of these environments (since other customers have access to the localized ssh-agent as root within their containerized environments). This also leads to me wanting to know when my keys are asked for. If I'm doing something, no big deal. If I'm not doing something and the keys are requested, I'd like to know which sub-agent is pulling the keys.

I also have many X11 windows open as well through this environment so stopping securecrt to "flush" the agent list just really isn't possible. Some of these will be up and open for days or (if my machine doesn't crash) weeks.

As you can guess, the key ring can get loaded up with a LOT of keys for various environments so anything that can allow for realtime management of this list (add, delete, move position, how many requests, passes/fails, etc)

Does this help with your questions?

Marcos (beta tester since v2.0 :-)
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote
  #4  
Old 06-25-2009, 10:37 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Enabling/Disabling Keys temporarily
This can only be accomplished by adding and deleting keys at this time. Again, I will be happy to enter a feature request on your behalf if you would like to tell me more about how you foresee the feature being implemented.
[/QUOTE]

If you made a menu of the keys as mentioned in the last post (with add, delete, move order, status, usage, etc) you can add a button or check box with "enabled []". Additionally if you can add to the "list" the comment field of the key, that would be nice too (since unfortunately I have LOTS of keys, not by my choice, all with descriptors so I can remember which customer, grid, maintainer key, or license I'm using...)

Marcos
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote
  #5  
Old 06-25-2009, 10:43 AM
mdella's Avatar
mdella mdella is offline
Registered User
 
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Quote:
Originally Posted by mdella
I'm using the OpenSSH agent forwarding function within SecureCRT 6.2.1 and for the most part it works fine. I am however finding a few things that I can't seem to find answers for.

1. Once a key is "on the ring" or in the agent, how to I remove it from the agent without exiting BOTH SecureCRT and SecureFX.

Ok, I finally found/figured this out (sort of esoteric on how you did that ;-)
One other request I'd have is have a minimize button on that menu, not JUST a close (so I can leave it on the screen or off to the side and still operate) so that I can monitor and maintain that list.

Actually a few more features on that list would make it very useful. Also if it were on a pull down menu other than on a shrink option that I prefer not to use.

The *challange* will be how to understand which session/window is using which keys... and how to display this in a mechanism other than what you put together....

Marcos
__________________
Marcos Della
Data Center Cloud Architect
Nutanix

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote
  #6  
Old 06-25-2009, 12:34 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hello mdella,

Thank you for the feedback.

I have added this thread to two feature requests in our development database. One is to add the ability to "Manage Agent Keys" to SecureCRT's GUI interface.

The other is asking for enhancements to agent key management. I have included the specific information you supplied regarding revising the 'Manage Agent Keys' dialog to include "Status" (enabled/disabled) and "Usage" columns in addition to the existing "Type", "Comment" and "Fingerprint" columns, as well as a mechanism for reordering the keys in the list.

Should a future release of SecureCRT include either feature, notification will be posted here.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Feature Request - Forum Thread #3656" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #7  
Old 03-29-2010, 05:53 PM
Maureen's Avatar
Maureen Maureen is offline
VanDyke Product Director
 
Join Date: Feb 2004
Location: Albuquerque, NM
Posts: 1,612
The "Manage Agent Keys" functionality that was only available through the Activator has been added to the SecureCRT Tools menu in a pre-beta version of SecureCRT. If you would be interested in trying it, please send e-mail to me at Maureen.Jett@vandyke.com.

Maureen
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 02:34 PM.