One place for hosting & domains

      November 2022

      An Introduction to the OSI Networking Model


      Computer networking is a complicated subject, with many interconnected layers and interactions. To help developers and engineers understand how the various networking components work together, several conceptual models have been developed. The
      Open Systems Interconnection (OSI) Model is a popular model that divides the networking stack into seven layers. This guide explains the OSI Model and describes each layer. It also lists the tools available for each layer and contrasts the OSI Model with the competing
      Internet Protocol suite.

      What is the OSI Model?

      The OSI Model provides a method for understanding how end-to-end internet communications work. It deconstructs the networking process into seven layers, each representing a different step of the transmission chain. Each layer has its own function and is responsible for well-defined tasks. Most user data passes through each layer upon both ingress and egress.

      The OSI model was originally developed in the 1970s and 1980s under the oversight of the International Organization for Standardization (ISO). It is formalized in the ITU-T series of
      X.200 recommendations. The model is mainly conceptual in nature and models the network at a high level of abstraction. It is designed to encourage a shared consensus of network standards and interoperability. While it has never been fully applied, it has gained popularity as a good educational model.

      The OSI Model originally included a number of network protocols to implement each of the different layers. However, these protocols were determined to be too complex and difficult to implement. They also involved too drastic of a change to established practices. Therefore, they were never adopted, and protocols from the Internet Protocol (IP) suite were used instead. The standard network protocols in use today show more complexity and do not perfectly align with the OSI model.

      The seven layers are numbered from lowest to highest. The highest layer is closest to the user applications, while the lowest relates to physical transmission. User data passes sequentially from the highest layer down through the lower layers until the device transmits it externally.

      The OSI model encourages a strict encapsulation model. Data from a higher level becomes part of the lower layer message. The data packet received from the higher layer is known as a service data unit (SDU). The lower layer prepends a header to the SDU. In some cases, it might also append a footer. The header and footer contain information intended for the peer layer of the receiving device. After the additional information is concatenated to the original packet from the higher layer, the message is called a Protocol Data Unit (PDU). The PDU is designed to be processed at the same layer on the destination node. This continues until the data reaches the physical layer. At this point, it is converted to a bitstream and physically transmitted to the receiver.

      On the incoming side, the order is reversed. Traffic is first received at the physical layer. It then passes upward one layer at a time. At each layer, the receiving layer reviews the information in the header and removes the encapsulating material. If necessary, the packet is then passed to the higher layer. This process continues until the packet is completely consumed.

      The OSI Layer Architecture

      The seven layers, from lowest to highest, are listed below. Each layer is described in a separate section later in this guide.

      1. Physical Layer
      2. Data Link Layer
      3. Network Layer
      4. Transport Layer
      5. Session Layer
      6. Presentation Layer
      7. Application Layer

      The acronym “All People Seem To Need Data Processing” can be used to remember the layers from highest to lowest. Not all data flows begin at the application layer. Lower layers negotiate automatically after they are configured, even if they are not serving any higher-layer application. Additionally, packets might only be partially processed by intermediate devices. For example, a core router examines packets at the network layer. It then forwards the packet, sending it back to the data link and physical layers to be transmitted.

      Each of the seven layers within the OSI is given its own set of responsibilities. The layers are numbered from the lowest layer, the physical layer, to the high-level application layer. Egress data passes from higher to lower layers. Ingress data is reversed and passes from the lowest layer to the upper layers.

      Layer 1: The Physical Layer

      The lowest layer is responsible for transmitting data to another device using some type of physical medium. It handles characteristics of the physical connection between nodes. All networked devices, from high-end network routers, mobile phones, and laptops, down to simple repeaters, transmit packets using the physical layer. Therefore all devices must use physical layer technologies to communicate with other devices. The physical layer converts data packets into a signal representing a stream of bits.

      This signal can be transmitted using a variety of techniques, including electrical, optical, and wireless encoding. Some examples of physical layer technologies include Wi-Fi, Ethernet, USB, and SONET/SDH. The implementation of this layer usually happens in hardware through a chip, rather than software. Physical layer standards usually include hardware specifications for the pin layout, cable attributes, and data encoding. However some attributes might be software controlled, including physical duplex and framing.

      Physical layer protocols are responsible for implementing the following functionality:

      • Voltage levels
      • Physical data rates
      • Physical connector specifications
      • Maximum transmission length
      • Modulation or channel access
      • Framing and bit stuffing
      • Signal timing and frequency
      • Transmission mode/duplex
      • Auto-negotiation

      Many transmission standards specify details for both the physical and data link layers. The Ethernet standard is a good example.

      Physical Layer Tools

      In a lab environment, a multimeter or oscilloscope can verify quality and compliance. In a real world setting, there is no practical way to debug physical layer problems. A trial and error process of swapping out cables, connectors, and physical ports is often required. If a cable is flakey or defective, throw it out and use another.

      The data link layer is responsible for transferring data between two nodes that are either directly connected or lie within the same network. To send data to a different network, network layer functionality is required. Layer two protocols can often correct physical layer errors using bit correction algorithms. At the data link layer, data is transported inside a frame. A network switch is an example of a data link layer device.

      Layer two specifications explain how to establish a connection and transmit data to another node. The Institute of Electrical and Electronics Engineers (IEEE) organization defines many of the data link specifications under the
      IEEE 802 family of standards. Some of these standards include Ethernet, Wireless LAN, Bluetooth, and Radio, while non-802 standards include the Point-to-Point Protocol (PPP) and Frame Relay. Unlike IP addresses, layer two addresses occupy a flat addressing space. This means the addresses are not hierarchical or routable.

      The IEEE 802 specifications can be further subdivided into two sub-layers, each with their own responsibilities.

      • Logical Link Control (LLC): This is the higher of the two layers. It acts as an interface between the network layer and the MAC layer. It encapsulates higher-layer protocols, and handles flow control, multiplexing, and error detection. However, some of those functions might also be handled at higher layers.
      • Medium Access Control (MAC): The MAC layer is closely entwined with the physical layer. The MAC layer controls network access, frame synchronization, byte/bit stuffing, and link addressing. It encapsulates data from the LLC layer into the appropriate format for the link layer protocol. It also adds and removes a frame checksum to help identify erroneous frames and implements collision detection.

      For a complete analysis, a packet capture tool such as
      Wireshark can capture and analyze the frames. However, many Linux commands allow users to examine interface statistics for packet stats and errors. The ip link command displays information about the network interfaces on the server. The command output includes the state, MTU, and MAC address of the link. See the
      Ubuntu ip command man page for more information.

      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
          link/ether f2:3c:93:15:ce:03 brd ff:ff:ff:ff:ff:ff

      The nast utility is a packet sniffer for use in analyzing LAN traffic. It is not pre-installed, so users must install it using apt.

      Run the command at the sudo level and terminate it using the Ctrl+C combination. Specify the interface to listen to using the -i option. The
      Ubuntu nast man page includes more details.

      Sniffing on:
      
      - Device:	eth0
      - MAC address:	F2:3C:93:15:CE:03
      - IP address:	192.0.2.161
      - Netmask:	255.255.255.0
      - Promisc mode:	Set
      - Filter:	None
      - Logging:	None
      
      ---[ TCP ]-----------------------------------------------------------
      192.0.2.161:22(ssh) -> 192.0.2.208:50788(unknown)
      TTL: 64 	Window: 501	Version: 4	Length: 112
      FLAGS: ---PA--	SEQ: 855325394 - ACK: 3719741052
      Packet Number: 1
      
      ---[ TCP ]-----------------------------------------------------------
      192.0.2.161:22(ssh) -> 192.0.2.208:50788(unknown)
      TTL: 64 	Window: 501	Version: 4	Length: 124
      FLAGS: ---PA--	SEQ: 855325454 - ACK: 3719741052
      Packet Number: 2
      
      Packets Received:		35805
      Packets Dropped by kernel:	14803

      To list the configuration and capabilities of each network interface, use the ip netconf command.

      inet lo forwarding off rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      inet eth0 forwarding off rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      inet all forwarding off rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      inet default forwarding off rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      
      inet6 lo forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      inet6 eth0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      inet6 all forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
      inet6 default forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off

      Layer 3: The Network Layer

      The network layer lies at the heart of the OSI network stack. It is responsible for addressing packets and routing them across the internet. Layer three data units are known as packets. The network layer allows packets to flow across non-adjacent networks. Most routers are network layer devices, although some also implement higher layer functions.

      Layer three protocols use the packet destination address to determine the best egress interface for the data. Before reaching its destination, a packet might be routed through many nodes. A path consists of all the routers a packet must pass through to reach a specific destination. Each network device a packet transits through is known as a hop. At each hop, the network layer processes the packet. If the packet has reached its final destination, the data is sent to the transport layer. Otherwise, the packet receives a new header and footer and is sent back to the data link layer for forwarding to the next hop.

      The network layer is responsible for breaking down packets that are too large for the lower layer links into smaller pieces. This process is called fragmentation. At the destination end, the network layer reassembles the fragments back into the original packet. Protocols at the network layer are not required to be reliable, although some protocols might report and retransmit missing packets. Network layer protocols are generally connectionless. Connections and sessions are managed by the higher layers.

      Many well-known network protocols operate at the network layer, including the following:

      • The Internet Protocol (IP). This protocol specifies the addressing format for the internet.
      • Routing protocols including Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF). These protocols are responsible for determining the best path to the final destination.
      • The Multiprotocol Label Switching (MPLS) protocol. In reality, MPLS is a multi-layer protocol. It includes functionality from both the network and transport layers.
      • The various Internet Control Message Protocol (ICMP) control messages, and related applications like ping and traceroute.
      • Multicast standards, including the Internet Group Management Protocol (IGMP).

      Network Layer Tools

      The ip command is also quite useful for network layer problems. The ip addr show command displays the IP address associated with each interface.

      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
          inet 127.0.0.1/8 scope host lo
             valid_lft forever preferred_lft forever
          inet6 ::1/128 scope host
             valid_lft forever preferred_lft forever
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
          link/ether f2:3c:93:15:ce:03 brd ff:ff:ff:ff:ff:ff
          inet 192.0.2.161/24 brd 233.252.129.255 scope global eth0
             valid_lft forever preferred_lft forever
          inet6 2a01:7e00::f03c:93ff:fe15:ce03/64 scope global dynamic mngtmpaddr noprefixroute
             valid_lft 5316sec preferred_lft 1716sec
          inet6 fe80::f03c:93ff:fe15:ce03/64 scope link
             valid_lft forever preferred_lft forever

      The ping and traceroute commands can determine whether a destination is reachable and track the path the packet follows to reach it. These commands can be used with either the name of a router or an IP address. Terminate the command using the Ctrl+C key combination.

      PING wikipedia.org(text-lb.esams.wikimedia.org (2620:0:862:ed1a::1)) 56 data bytes
      64 bytes from text-lb.esams.wikimedia.org (2620:0:862:ed1a::1): icmp_seq=1 ttl=55 time=6.45 ms
      64 bytes from text-lb.esams.wikimedia.org (2620:0:862:ed1a::1): icmp_seq=2 ttl=55 time=6.41 ms
      64 bytes from text-lb.esams.wikimedia.org (2620:0:862:ed1a::1): icmp_seq=3 ttl=55 time=6.41 ms
      64 bytes from text-lb.esams.wikimedia.org (2620:0:862:ed1a::1): icmp_seq=4 ttl=55 time=6.55 ms
      64 bytes from text-lb.esams.wikimedia.org (2620:0:862:ed1a::1): icmp_seq=5 ttl=55 time=6.40 ms
      64 bytes from text-lb.esams.wikimedia.org (2620:0:862:ed1a::1): icmp_seq=6 ttl=55 time=6.68 ms
      
      --- wikipedia.org ping statistics ---
      6 packets transmitted, 6 received, 0% packet loss, time 5008ms
      rtt min/avg/max/mdev = 6.398/6.483/6.678/0.101 ms

      To view the contents of the system routing table, use the ip route show command. The ip neighbor show and ip nexthop show commands are also often useful.

      default via 192.0.2.1 dev eth0 proto static
      192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.161

      Layer 4: The Transport Layer

      The transport layer works in conjunction with the network layer to coordinate data transfer between the host and the destination. While the network layer is more concerned with addressing and routing, the transport layer is responsible for segmenting and ordering the data. It must collect and interleave packets from many different higher-level protocols. It must also associate these packets with the correct session. On the receiving side, the transport layer reassembles the packets and detects any missing segments. Some transport layer protocols also handle quality of service, congestion avoidance, reliability, and packet retransmission.

      Transport layer protocols are either connection-oriented or connectionless. The two most important transport protocols are the
      Transmission Control Protocol (TCP) and the
      User Datagram Protocol (UDP). Transport layer data units are sent from, and received on, a specific port. The full destination address consists of both an IP number and a port. For ease of use, many protocols are associated with a specific, well-known port.

      • Transmission Control Protocol: TCP is a robust connection-oriented protocol. It implements reliability and error-checking and guarantees packets are delivered in order. It is used for applications that cannot tolerate corrupted or missing packets, such as file transfers and email. TCP segments data based on the maximum transmission unit (MTU) of the egress interface. Some portions of the TCP specification, including the graceful close technique, better align with the session layer of the OSI model.
      • User Datagram Protocol: UDP is a connectionless, lightweight protocol that is far less complex than TCP. Unlike TCP, UDP does not segment packets. It is not necessarily reliable and does not retransmit packets. It is a best effort option for performance-oriented applications that can tolerate missing or corrupted packets. UDP is a good choice for streaming video and applications using built-in buffering mechanisms.

      The Transport Layer Security (TLS) protocol somewhat aligns with the OSI transport layer, but it also provides features from the higher layers.

      Transport Layer Tools

      There is no generic transport layer monitoring tool for Linux. Instead, tools are available for specific protocols. For TCP, the tcptrack utility displays a list of current sessions. tcptrack does not come preinstalled, so install it using apt.`

      sudo apt install tcptrack

      Use the -i option and the name of the interface to see all connections active on the interface. There is no corresponding UDP equivalent because UDP is connectionless. The
      Ubuntu tcptrack man page provides full usage instructions. Terminate the command using the Ctrl+C key combination.

      Client                Server                State        Idle A Speed
      192.0.2.208:50788  192.0.2.161:22     ESTABLISHED  0s     10 KB/s

      tcpdump is a packet analyzer for monitoring outgoing and incoming packets on a specific interface. The -i attribute indicates the interface to listen to. The eth0 interface is the default. It can also monitor UDP packets. tcpdump is also able to detect packets at lower layers than the transport layer, while another option allows users to view the Ethernet headers. Consult the
      Ubuntu tcpdump man page for a list of options. Terminate the command using the Ctrl+C key combination.

      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
      18:52:14.806270 IP testworkstation.ssh > ti.bb.online.no.50788: Flags [P.], seq 866780550:866780658, ack 3719759268, win 501, options [nop,nop,TS val 3917578569 ecr 3770283712], length 108

      Layer 5: The Session Layer

      The session layer is relatively lightweight. It is used to establish and maintain ongoing sessions of longer duration between two systems. It handles the negotiation of the connection and closes it when no longer required. The session layer often manages user authentication during the establishment phase. Sometimes the session layer provides a way to suspend, restart, or resume a session. Network sockets operate at this layer, and protocols including FTP and DNS make substantial use of session layer functionality. It is also heavily used by streaming services, and web/video conferencing. For some services, session layer protocols use flow control for proper synchronization.

      Session Layer Tools

      In many applications, the session layer is bundled together with the presentation and application layer. All layers are managed as a single unit. Therefore there are no generic tools for the session layer or any of the higher layers. Instead, users must employ the application tools. For instance, the
      FileZilla FTP application provides logs and a debug menu to help resolve FTP connectivity problems at the session level.

      Layer 6: The Presentation Layer

      The presentation layer is responsible for translating content between the application layer and the lower layers. It handles data formatting and translation, including data compression/decompression, encoding, and encryption. For some higher layer applications, the presentation layer might also handle graphics and operating system specific tasks. In most modern applications, the presentation and application layers are tightly integrated.

      A example of a protocol residing at the presentation layer is Multipurpose Internet Mail Extensions (MIME), for formatting email messages. The Transport Layer Security (TLS) encryption protocol is also a presentation layer application.

      Layer 7: The Application Layer

      The application layer is the highest layer and the one that is closest to the end user of most software applications. There is a tendency to think of this layer as being equivalent to the application, but the user applications actually directly interact with this layer. Many application layer protocols tend to be closely bound to the client software. They manage tasks including message handling, printer access, and database access. Some examples of application layer protocols include the following:

      • Hypertext Transfer Protocol (HTTP)
      • Simple Mail Transfer Protocol (SMTP)
      • Telnet
      • Secure Shell (SSH)
      • File Transfer Protocol (FTP)
      • Simple Network Management Protocol (SNMP)
      • Domain Name System (DNS)

      End-to-End Processing Using the OSI Model

      It is possible to use the OSI Model to explain how a user request passes from a client application down to the physical layer. For instance, depending on the web application, the following steps might occur when browsing the internet.

      1. The web browser client interacts with an application protocol at the application layer. The user request is translated to either an HTTP or HTTPS message. The DNS protocol is used to convert the domain name into an IP address.
      2. If HTTPS is used, the presentation layer encrypts the outgoing request using a TLS socket. If necessary, the data is encoded or translated to a different character set.
      3. At the session layer, a session is established to send and receive the HTTP/HTTPS messages. In most cases, the session layer opens a TCP session because web browsing requires reliable transmission. However, some streaming applications might opt for a UDP session.
      4. The transport layer TCP protocol initiates a connection to the destination server. When the session is operational, it transmits the packets in their original order and ensures all packets are sent and received. UDP sends all packets out in a best effort manner without a direct connection and does not wait for any acknowledgments. If necessary, the data packets are segmented into smaller packets. The transport protocol forwards all outgoing packets to the network layer.
      5. At the network layer, the routing protocols decide what egress interface to use based on the destination address. The data, including the address information, is encapsulated inside an IP packet. The packet is then forwarded to the data link layer.
      6. The data link layer converts the IP packets to frames, which might result in further fragmentation. It builds the frames based on the data link protocol being used.
      7. At the physical layer, the frames are converted to a stream of bits and transmitted onto the carrier media.

      Drawbacks of the OSI Model

      The OSI Model is useful as a tool for understanding networks. However, it has a number of drawbacks.

      • OSI is very complex, with too many layers. Some of the layers are much more significant and important than others.
      • There are too many OSI standards documents and recommendations.
      • The model does not reflect the real world network structure. In many cases, actual network models span multiple layers and do not align with the boundaries of the OSI layers.
      • The OSI protocols were not widely implemented and the model does not map very well to the protocols in use today.

      A Comparison Between the OSI Model and the Internet Protocol Suite

      The Internet Protocol suite is an alternative to the OSI model. The IP suite has four layers.

      1. Application layer: This maps to the OSI application and presentation layers and much of the session layer.
      2. Transport Layer: This includes some parts of the OSI session layer as well as the transport layer. The TCP and UDP protocols are part of this layer.
      3. Internet Layer: This layer closely matches the OSI network layer definition and includes the IP protocol.
      4. Link Layer: This encompasses both the physical and data link layers of the OSI model.

      The IP suite is considered less prescriptive and more flexible, and better reflects actual usage. Protocols such as TCP/IP and the main routing protocols are derived from the IP suite. However, the IP suite is not as informative, conceptual, or comprehensive as the OSI model, and is not as widely-used as a teaching aid. To properly understand networking concepts, engineers should familiarize themselves with both models.

      Conclusion

      The OSI Model is a framework for understanding network communications. It breaks the network stack down into seven layers. The layers range from the low-level physical layer up to the application layer residing closest to a computer user. At the heart of the model are the mid-level network and transport layers. The network layer addresses and routes packets, while the transport layer establishes and maintains a connection with a far-end device.

      Although the OSI Model is a handy learning model, it is relatively abstract and does not always reflect real world behavior. The OSI-based protocols were never really implemented, and most commonly-used network protocols are more closely related to the IP suite. However, the OSI-model is integral to many networking methods, and many of the common networking tools still map to the different OSI layers.

      More Information

      You may wish to consult the following resources for additional information
      on this topic. While these are provided in the hope that they will be
      useful, please note that we cannot vouch for the accuracy or timeliness of
      externally hosted materials.



      Source link

      How to Use ssh-agent


      ssh-agent manages private keys for SSH connections, facilitating smoother SSH experiences and allowing you to use SSH sessions across programs. This guide aims to give you a full walkthrough of ssh-agent. The tutorial herein explains what ssh-agent is capable of and shows you how to use it.

      Before You Begin

      1. If you have not already done so, create a Linode account and Compute Instance. See our
        Getting Started with Linode and
        Creating a Compute Instance guides.

      2. Follow our
        Setting Up and Securing a Compute Instance guide to update your system. You may also wish to set the timezone, configure your hostname, create a limited user account, and harden SSH access.

      Note

      This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, see the
      Users and Groups guide.

      What is ssh-agent?

      ssh-agent is a program by OpenSSH that stores private keys for SSH authentication. The agent can start up an authentication session using a key. It then provides that authentication across programs and windows on your system.

      In other words, ssh-agent provides a kind of single sign-on (SSO) service for your system. It allows you to authenticate an SSH connection once, then use that authentication across multiple programs.

      ssh-agent works by starting up a client when you initially authenticate an SSH connection. The agent then keeps that authentication in memory and acts as a client for any other programs that attempt to make additional SSH connections.

      What is ssh-agent Forwarding?

      The ssh-agent tool also has an agent forwarding feature. This allows an ssh-agent client to utilize authorization from a distant ssh-agent acting as an SSH server.

      The most common use case for this feature utilizes a locally stored key on a remote server. For instance, say there’s a remote machine you want to connect to through a bastion server using a key stored locally. Agent forwarding allows your local ssh-agent to share the authentication key with the bastion server’s ssh-agent. This gives the bastion server the ability to connect to the remote host.

      Continue reading to learn how to
      enable agent forwarding for your ssh-agent sessions.

      How to Use ssh-agent

      The next sections show you how to use ssh-agent on your Linux system. For the most basic use cases, the sections on starting ssh-agent and adding keys are all you need to get started.

      Follow the section on applying the ssh-agent for more details on the process and additional ssh-agent options. Finally, the section on enabling agent forwarding breaks down the steps and options for that feature.

      Starting Up ssh-agent

      Most Linux systems include ssh-agent by default, but you must enable it. The ssh-agent command outputs a series of commands which set the environmental variables needed by ssh-agent.

      1. Use the following command to execute the ssh-agent commands and enable ssh-agent for your current shell session:

        Note

        Adding that command as a line to your ~/.bashrc file automatically enables ssh-agent at system start up.

      2. Verify that ssh-agent is running by checking for the SSH_AUTH_SOCK environmental variable:

        /tmp/ssh-qmq8m7V80sRi/agent.42596

      Adding Keys to ssh-agent

      Before you can use ssh-agent, you need to add at least one key. The ssh-add command automatically adds all private keys stored within the ~/.ssh directory. That includes ~/.ssh/id_rsa, the default location for most SSH private keys:

      Identity added: /home/example-user/.ssh/id_rsa (example-user@localhost)

      Should you need to specify a particular key location, you can provide the path to the key as an argument to ssh-add. This example adds a key stored at ~/my_documents/ssh/example-user.private_key:

      ssh-add ~/my_documents/ssh/example-user.private_key

      You can subsequently get a list of all the keys currently added to ssh-agent using the -l option. This lists the identifiers for the keys that are set up for ssh-agent:

      3072 SHA256:<KEY_ID> example-user@localhost (RSA)

      Applying the ssh-agent

      Your ssh-agent is now fully operational. Connecting to a remote machine over SSH using one of the keys added to your ssh-agent starts an agent session. At that point, you can leverage ssh-agent for authentication across multiple programs.

      The start-up command provided above can be expanded with some options. These let you have more control over how ssh-agent operates. The following are some of the more useful of these options:

      • -a lets you specify a bind address for ssh-agent socket. This address corresponds to a location on your machine. By default, ssh-agent uses a somewhat random path following the format /tmp/ssh-<RANDOM_STRING>/agent.<PID>.

        Note

        ssh-agent restricts this location’s permissions to the current user. You should ensure similar permissions if you specify a custom bind address.

        Here is an example that binds the ssh-agent socket at ~/ssh-socket/ssh-agent:

        eval `ssh-agent -a ~/ssh-socket/ssh-agent`
      • -t lets you specify a number of seconds as the maximum lifetime of identities added to the agent. Otherwise, the agent keeps keys stored in memory as long as the agent is running.

        This example limits identity lifetime to 24 hours (86,400 seconds):

      • -k kills the currently running ssh-agent, using current environmental variables to identify the agent:

      To see a full list of available options, refer to the man page for ssh-agent, or see the die.net link at the end of this tutorial.

      Enabling ssh-agent Forwarding

      Agent forwarding lets your local ssh-agent pass keys to remote ssh-agents for authenticating further connections. This feature can be useful for certain use cases. For instance, connecting to a remote host through a bastion server, or connecting to a private GitHub repository on a remote machine.

      The agent forwarding feature can be activated once you have everything else set up for your local ssh-agent. The following steps walk you through the specifics. You have some options when it comes to configuring agent forwarding, which are also covered here.

      1. Follow the directions above on your local machine (where the keys are stored) to start up ssh-agent and add your private keys. You should not take these steps on the remote machines.

      2. Two options are available for enabling agent forwarding. These options differ in their balance of accessibility and security, so keep that in mind when deciding which to use.

        • The simplest method is to use the -A flag with the ssh command. This enables agent forwarding for a single SSH session. The process is simple to start with and offers security by limiting the forwarding to a single session.

          For example, to use agent forwarding for your SSH session to a user named example-user on a remote host at 192.0.2.1, you can use:

          ssh -A example-user@192.0.2.1
        • A more permanent solution is to adjust the configuration file for the ssh-agent. Specifically, you need to add a configuration with ForwardAgent yes for the destination machine.

          The ssh-agent configuration file should be located at ~/.ssh/config. You may need to create the file if it does not already exist.

          This example works for forwarding authentication to a remote machine at 192.0.2.1:

          File: ~/.ssh/config
          1
          2
          
          Host 192.0.2.1
            ForwardAgent yes

          Now SSH into the machine. Your SSH connection to the 192.0.2.1 address automatically triggers agent forwarding:

          ssh example-user@192.0.2.1

          You could use Host * to make the configuration universal, but doing so is not recommended. Any remote machine you SSH into would have access to your all of your agent’s keys for the duration of your connection. That leaves significant room for exploitation.

      3. At this point, you can utilize the agent forwarding on your remote machine — the server at 192.0.2.1 in the examples above. The agent forwarding process automatically runs the ssh-agent on the remote machine.

        Say, for example, you now want to connect to another machine, using the 192.0.2.1 server as a bastion. Simply open a second SSH connection to that machine — which, for this example, is at 192.0.2.2 using a user named example-user:

        ssh example-user@192.0.2.2

        Agent forwarding means that any keys from the original, local machine are now available on the remote machine (192.0.2.1). These keys can thus be used to connect to a further machine — 192.0.2.2 in this example.

      4. To better secure your agent, you can lock the agent before forwarding. To do so, use the command here. This prompts you to create a password, used to secure your ssh-agent:

        Agent locked.

        You can later unlock the agent using this next command. The command prompts you to reenter the password you created when locking the agent:

        Agent unlocked.

      Conclusion

      ssh-agent offers a strong tool for securely leveraging your private keys across multiple programs and windows. With agent forwarding you can extend that utility to further hosts. This allows you to manage keys locally, even for connections through bastion servers or private Git repositories accessed remotely.

      More Information

      You may wish to consult the following resources for additional information
      on this topic. While these are provided in the hope that they will be
      useful, please note that we cannot vouch for the accuracy or timeliness of
      externally hosted materials.



      Source link