Preloading agent keys in Activator

[shoebear]

Is there a way to load agent key(s) when starting Activator, similar to PuTTY's pageant? When you start pageant, you can specify at least one keyfile, and pageant will load it and ask for a passphrase at startup. From then on, you're covered.

I've played with Activator, and I have not been able to get it to do this. The real-world problem this causes occurs when I open multiple server sessions at once when there is no agent key in Activator. Each session pops up a window asking for the key passphrase, and I have to enter it for each session. If the agent key is preloaded and authenticated in Activator, however, the sessions log right in with no problem.

Of course, I can load the agent key(s) manually upon reboot, but this is hard to remember and takes extra time.

I looked in the VanDyke help text, and I could find nothing about the Activator command line format, arguments, or flags.

Thanks for your help!

[shoebear]

An alternative solution, continuing the example I gave above about opening multiple windows at once:

When I enter the key passphrase for one of the prompts, if SecureCRT/FX would check for other open passphrase prompts on the same key and close them automatically, and use the now-authenticated key, I would only have to enter the passphrase once. This could be a good solution, especially if I use multiple private keys, as it would only prompt for a passphrase when I actually use the key. So if I have 20 keys but typically use only 3 -- I would only need to enter the three I use under the alternate solution. If I preloaded all 20 at system startup, I would have to enter all 20 passwords. Of course, I could also preload only the 3 keys I commonly use instead of all 20. So either solution could work well.

[rtb]

Hi shoebear,

Thanks for the question.

I have created a feature request in our SecureCRT enhancement database to add the ability to pre-load private keys to the agent. Should we add this capability in the future, we will post to this thread.

In the meantime, you may want to consider enabling Connect to multiple sessions sequentially which is located in the Terminal / Advanced category of the Global Options dialog.

Does this option help get you closer to your goal?

[shoebear]

Thanks! The "open multiple sessions sequentially" does work around the problem, although it makes it a bit slower to open a bunch of sessions. So I would appreciate having the ability to preload keys in Activator at some point in the future.

[rtb]

You are welcome shoebear.

We will post to this thread if we add the feature. If you would like to be notified directly, please complete and submit the form at the following location:

Submit Feature Request

[mdella]

So I've been doing this all by hand and today just finally got frustrated with the entire thing... Started doing a bunch of research and this is the only thread I've found on this particular topic so far...

Any I was wondering the exact same thing. I've been playing with it myself but haven't figured out how to preload my 5 keys without having to actually log into 5 servers to do it (since 3 are only accessable via a jump box, I can't even do that, I literally have to use the Tools -> Manage Agent keys... to add my missing three keys).

BTW I'm personally running v8.3.1 of SecureCRT.

Marcos

[berdmann]

Hi mdella,

Thank you for letting us know that you would also like to see this feature implemented.

We have yet to implement this feature in SecureCRT but will be sure to post here if this feature is included in a future release of SecureCRT.

If you prefer direct email notification, contact support@vandyke.com and include "Feature Request - Forum Thread #11208" in the subject line.

[mdella]

So I'm trying to track down where this exactly is failing but...

I'm manually loading 9 keys each and every time I start SecureCRT from scratch (at this point, I just don't shut down either my windows box nor my Mac as its a pain to do all the keys by hand). I realize that in January you said this was on the to-do list...

The problem I'm running into now is realizing that keys 5+ on the ring aren't being used/forwarded/tested when I'm on a linux box that has "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017" on it. So when I try and connect to another machine, it only tests the first 4 on the agent key ring then fails (so keys 5 onward that I preloaded never seem to be used).

I can't identify if the failure is the ssh program on CentOS 7, or the agent in SecureCRT just not presenting more than 4 keys... If I delete keys and get the one I want down to the 4th position, things work again. At least for that key.

Any clues or ideas where I should be looking?

Marcos

[jdev]

Marcos,

SSH servers typically allow only a specific number of failed authentication attempts before they boot the client connection.

If you turn on Trace Options logging, you'll likely see that SecureCRT is attempting to go through each of the keys in the Agent, trying each one "unsigned" to see if it could possibly work with the host. The host is likely booting you after the first 3-4 attempts because the host has reached its configured limit of unsuccessful authentication attempts.

You can tell SecureCRT to use a specific key for a host, by configuring the Session Options for that host's saved session, telling that session to use a session-specific public/private key and point to the corresponding key file. Even though you'll be pointing the SecureCRT saved session configuration to the actual key file, SecureCRT will first look in the agent for that same key first. If that key isn't found in the agent, SecureCRT will prompt you for the passphrase to unlock that key, and will add it to the agent upon successful authentication (if the SSH2 global options have the agent enabled).

If you don't tell the SecureCRT saved session which key to use for that host, it will end up going through each key in the agent one by one until either a key works, or the remote boots you for trying too many times unsuccessfully.

Another option, if you have the say-so and the desire, is to configure the remote system to allow for a larger number of failed authentication attempts before a client gets booted (up to the number of keys you have in your agent).

Does this help get you where you need to be?

--Jake

[mdella]

Yes it does give me an idea of what is going on. For some reason I wasn't thinking in terms of failed attempts (my mind was thinking of "presenting 9 keys" and being told which one we can use. For hosts I can change the number of tries, but for things like switches and routers, I might not have that ability.

In terms of using your suggestion, the challenge is that I use one key for servers (or jump hosts) which are in the session key assignment, but the keychain is scanned based on which environment I jump to from there... production, staging, north america, EU, CN, DE, SG, development, monitoring. There are 9 different environments I "jump" to from that server so I never know which key I specifically need at what time. But the behavior does explain some of the "random" failures I was having in the past (which became more prevalent when I changed the order that I was loading keys in from).

Not the best answer, but definitely puts it in context.

Marcos

[Andomar]

When I log in I don't just need 1 private key, but many. The first SSH host is just a stepping stone. I need the other keys loaded so I can use them with agent forwarding.

Every reboot, I have to open Agent, find the keys in explorer, and enter the passphrase.

How can the amount of work after a reboot be reduced?

[berdmann]

Hi Andomar,

SecureCRT currently does not support the functionality that you desire.

I have submitted a feature request on your behalf to add the ability to load pre-defined private keys to the agent when SecureCRT is launched. If implemented, you would not have to manually add the keys to the agent every time that you connect.

Should a future release of SecureCRT include this functionality, notification will be posted here.

If you prefer direct email notification, send an email to support@vandyke.com and include *"*Feature Request - Forum Thread #11208*"* in the subject line.

[bgagnon]

Hi all,

I'm happy to report that our developers have now implemented support for this feature in v9.0 beta 1:

Changes in SecureCRT 9.0 (Beta 1) -- September 24, 2020
-------------------------------------------------------
New Features:

• Added the ability to specify public/private keys to load into SSH2 agent when SecureCRT starts.

It is available for both SecureCRT and SecureFX on all supported platforms. The beta 1 installers for Windows only are available on our website.

If you are a macOS or Linux user of SecureCRT, don't feel left out.

We can still give you a pre-release build of v9.0 with this functionality. Just email support@vandyke.com and request a build with Pre-loading agent keys support. (If not writing us from the email address associated with your download account, please include that email address in the body of the email.)

Or keep your eyes peeled for the beta 2 release which we expect to be for all supported platforms. (The best way to stay informed as to release dates is to subscribe to the product announcements.)