Posts about anderbubble

God in your own image

You can safely assume you’ve created God in your own image when it turns out that God hates all the same people you do.

~ Anne Lamott quoting her “priest friend Tom” in Bird by Bird

an open letter to the TED team

Some time back I was talking with church leadership about possible opportunities for me to serve the church, including potential calling to leadership. At the time I insisted that theological differences between myself and the church disqualified me.

I still believe I have important theological differences with the church, even if only in my own questioning and theological formation; but I have felt a weight of consideration ever since, and I believe that the Spirit is provoking me to action. What that means I do not yet know, but I decided that, at the very least, I could formally put my name in for consideration by the church, and leave it to the church, rather than my own preemption, to disqualify me.

After applying I was asked to schedule a 30-minute conversation with the church's trustees, elders, and deacons (TED) team. As part of the conversation, I will be expected to share responses to the following questions:

Please share a brief statement (3-5 minutes) about your faith in Christ and how your personal relationship began and continues.

I have been raised in the church my entire life, my father a Christian Rock Band Jesus Hippie and my mother proselytized by him early in their relationship. I didn't appreciate the full impact of my upbringing until adulthood; but my father always had an earnest heart for God, and my mother a love for everyone around her. I grew up assuming these characteristics, and I am so thankful that they are encoded so deeply in who I am.

As a family we attended a Church of the Nazarene; but I also exclusively attended a small private school, kindergarten through highschool run by a fundamentalist Baptist church, followed by four years at a Nazarene univeristy. Church, has been embedded in virtual every aspect of my life for as long as I can remember; and more than that, a pervasively diverse church context means that I have always had to acknowledge and consider different, conflicting, and often opposing views of God and the scripture, even within Christianity.

This much pervasive access to church can make the experience of God somewhat mundane; so it wasn't until somewhere in my teens that I really felt God alive in my life. It's somewhat cliché, but I attended a weekend cursillo retreat run by local Methodist churches as part of The Upper Room ministries. I shouldn't have needed it--I had exactly the same kind of example at home already--but it was there that I first recognized the difference between assumptively "going to church" and living a life that is transformed by the Spirit and oriented toward God. I continued to work (and speak) at the retreat for years after, and my entire family attended successively afterward.

The next notable impact to my faith came as a result of my wife and I living for three and a half years in the Kingdom of Saudi Arabia. Though we were only there professionally, the facts of being a Christian in the nation of Isalm cannot be avoided--and why should they? There our understanding of God and Christ was deepended through comparison and contrast with the people around us. We met several strong Christians, largely among the students, and gathered to worship in our homes (eventually our home specifically) every week.

We have worshiped almost exclusively at Presbyterian churches since returning to the States, first at Redeemer Presbyterian in New York and now at First Pres in Boulder, an extension of our existing desire to challenge our own theological background and assumptions through comparison and contrast.

What is currently going on in your life spiritually? What is God teaching you? What growth are you experiencing?

Fankly, this is something going on in my life spiritually: I am trying to be ever more open to the leading of the Spirit, particularly where I habitually resist Him. For example: when we were first asked to open our home to our church in Saudi Arabia, I literally said, "OK; as long as I'm not expected to lead." Of course, it was scarcely a year later that I was preparing scripture readings, selecting songs for us to sing together, and distributing communion, after our previous leaders graduated from their respective academic programs and returned home.

I love theology, and I try to not let my esoteric interests get in the way of ministry and community. Most recently I have been reading the work of David Bentley Hart. I finished his defense of universal salvation "That All Shall Be Saved" and found it a profound challenge to what might be the last vestiges of my fundamentalist assumptions about hell; but I am currently re-reading the New Testament with his defense in mind to better discern my assumptions about scripture from my actual reading of it. After and during that I am also reading his defense of theism: "The Experience of God."

More personally, the Spirit is convicting me regarding how I respond to disagreement in my marriage. I say this here only because my comments so far have been largely academic, and I don't want to imply that the Spirit doesn't affect me more intimately as well; but, while I'm open to discussing such things, I tend to wait for them to be asked explicitly as well.

How did you come to be a part of First Pres? What experiences have you had as a part of our church family? What excites you about the future?

We came to Boulder largely chasing my wife's family (in Greeley) and the church family that we had had in Saudi: themselves largely from the Boulder area. When we surveyed the churches in the area we found mostly a certain type of closed conservatism, a certain type of loose liberalism, or a certain type of seeker congregation: none of these seemed to fulfill our expectations to be challenged toward growth in the faith. But we found First Pres, supported by our previous experiences at Redeemer, and encouraged by what we heard in sermon recordings online. We attended and, in our first services we encountered academic theology (led by Carl); passionate tradition (bagpipes); and earnest community (in coffee with Erik).

We showed up to Family Small Groups without prior arrangement; and, though there was no group for us to join on the spot, our chidren were cared for and we were told to enjoy the evening together.

At First Pres I feel at home, in a way that I have not felt since I left my childhood church.

How do you seek to discern God's will for you personally? How might you discern God's will in a group setting?

I seek God's will for me personally through prayer and study; but I cannot ignore the transforming work of the Spirit in my life as well. I can scarcely believe my life, and I am excited by the prospect of even deeper relationship with God.

In a group setting, if my self-assessment is accurate, I have a tendency and aptitude for listening to all perspectives and helping to bring parties to at least a common understanding. I consider what is said long after a group meeting, and often follow-up off-cycle to ask questions or assert possibilities. I pray, but more generally I believe that I feel the Spirit leading throughout the day, and I hope that I would be able to discern that leading in a more formal group as well.

Perhaps more technically, I argue. And I hope that that is not understood as argumentative; but I try what I believe to be Truth by presenting it for scruitiny. I am strong in my beliefs, but I am also quick to abandon my own misunderstandings. When I argue, I argue from scripture and (where it is a help and not a distraction) well-established shared belief.


I was also pointed to the Essential Tenents of ECO 1; and it is here that I am afraid I will have the most trouble. As above, I don't intend to be argumentative; but I also do not want to conceal anything, so I will do my best to enumerate my concerns here.

I want to be clear: I do not begrudge ECO or First Pres these essential tenents. I recognize the importance of common doctrine, and I value the diversity of Christianity as expressed in the diversity among congregations: that diversity does not necessarily need to be expressed within each congregation. Still, First Pres is my home; and if I am to serve here, I have to be honest about what I believe as well.

Regarding "God’s Word: The Authority for Our Confession"

I have serious concerns regarding the common definition of the Word of God. Even today, Carl preached in his sermon that God's word is incarnate, proclaimed, and written; but the essential tenents omit acknowledgement of God's word as proclaimed altogether.

I further fear, and have for many years, that the veneration of the so-called "written Word of God" is a form of idolatry: the Bible serves as an image of God's Word, and its worship (in everything but name) is troubling to me. More striclty, I consider the scripture a testament to the Word of God, not the Word itself (as opposed to Christ, the Word Incarnate.)

I do acknowledge, as Paul taught Timothy, that "All Scripture is breathed out by God and profitable for teaching, for reproof, for correction, and for training in righteousness, that the man of God may be complete, equipped for every good work." But I'll still point out that Paul certainly was not talking about the gospels, the revelation, or much less the epistles (particularly that he was contemporaneously writing), but "the sacred writings" that Timothy had been acquanted with "from childhood." This is not to say that the Christian scriptures are not themselves "Breathed out by God," and I have faith in the work of the Spirit in preserving the Scripture through church tradition and study; but I believe the true nature of the scripture is more complex than is often exhorted in such essential tenents, and the true nature of the Word of God more complex still.

We confess that God alone is Lord of the conscience, but this freedom is for the purpose of allowing us to be subject always and primarily to God’s Word.

We are happy to confess ourselves captive to the Word of God

Perhaps there is some scriptural basis for this imagery that I am missing; but without it I am troubled by this imagery. Life in Christ is denotatively freedom; we are not captives, but heirs, ransomed from sin and death. I do not deny that "the Spirit will never prompt our conscience to conclusions that are at odds with the Scriptures that He has inspired"--perhaps this is an unnecessary complaint; but the heart with which we approach the Word matters to me, and I find it important to recognize that the Spirit changes our desires to be those of God; we are not captive to the Word, but freed by it.

Regarding "secondary authority"

[W]e affirm the secondary authority of the following ECO Confessional Standards as faithful expositions of the Word of God: Nicene Creed, Apostles’ Creed, Heidelberg Catechism, Westminster Confession, Westminster Shorter Catechism, Westminster Larger Catechism and the Theological Declaration of Barmen.

I don't know how I missed this before; but this greatly expands the scope of the so-called "essential" tenents. I have studied some of these; but certainly not all, and I would be loathe to assumptively confirm their authority in my theology, or my adherence to them, without further study (and given the differences raised by the primarily-stated essential tenents, I can only expect there would be further differences in a greater body of confessions).

regarding "Trinity and Incarnation: The Two Central Christian Mysteries"

I have strong, fundamental concerns regarding the doctrine of the Trinity.

But first let me be clear: I believe in God, non-contingent, transcendent, Father and creator of all. I believe that Jesus, the Christ, is the incarnate Word of God, one with the Father, in the Father and in whom the Father is. I believe in the Holy Spirit, the paraclete, the helper and advocate, who comes in the name of Christ and is sent by the Father, the Spirit of Christ and, thus, the Father.

But there is a great deal of distance between that and bold claims about God as having a fundamentally "trinitarian" nature. This is not quite idolatry; but it is seeking to define God by our experience of him, where he is more accurately transcendent. God has revealed himself freqntly through social terms, but it is eisegesis to read this as emphatically trinitarian. God did not direct Israel, for example, to worship "God the Creator; God the Fire of the Bush; and God the Pillar of Cloud"; but God. And if God did not direct worship to a plurality, but a unity God, then we should not break from that direction.

And what of the Word of God? Surely the Word of God is God, as John proclaimed. But if Christ is one part of a trinity God, then surely the Word is a person of God, existing before "the Word became flesh and dwelt among us." So perhaps the trinity is more accurately "the Father, the Word, and the Spirit"?

But I am particularly troubled by extra-Biblical habits I have observed recently of praying to individual "members of the trinity"; we are to pray to God, the Father, as Christ did and directed us to.

affirmed by all Christians everywhere

This is simply not true: there have been many Christians that have had different interpretations and understandings of the being of Christ. I may not agree with them, but to ignore them is distracting and disingenuous.

like us in having both a human soul and a human body

This anthropology isn't Biblical, so far as I can tell. Maybe it is technically true to say that Christ had a human soul; but this statement does not mean what a western mind will infer from it. God did not make a human body and then put a human soul into it; man became a living soul when God breathed into it. As such, to say that Christ is "like us in every way but sin" but then say that he has a "human soul" is both non-sensical and contradictory.

Regarding "God’s grace in Christ"

Our desires are no longer trustworthy guides to goodness, and what seems natural to us no longer corresponds to God’s design.

I hope that these tenents do not mean to indicate that we who are alive in the Spirit are unable to discern good. "We have received [...] the Spirit who is from God, that we might understand the things freely given us by God. And we impart this in words not taught by human wisdom but taught by the Spirit, interpreting spiritual truths to those who are spiritual." It is the promise of life in the Spirit that our hearts are turned towards the things of God; that our desires are made trustworthy, being those of the Spirit.

Jesus takes our place both in bearing the weight of condemnation against our sin on the cross

I require further study here; but I believe this to be incorrect theology. Christ did not "bear the weight of [presumably God's] condemnation against our sin"; in stead, his death paid the ransom to free us from our slavery to death.

Regarding "Election for salvation and service"

I am thankful that ECO does not, at least here, go so far as to proclaim limited atonement an essential tenent. (Perhaps it does implicitly by extension through one of the "secondary" authorities.) But I must say that the language of atonement does not appear, to me, to be concerned with eternal salvation or the church in general, but of specifically the work of the Spirit in Israel in the church age. "Israel failed to obtain what it was seeking. The elect obtained it, but the rest were hardened." But later "a partial hardening has come upon Israel, until the fullness of the Gentiles has come in. And in this way all Israel will be saved."

"just as you were at one time disobedient to God but now have received mercy because of their disobedience, so they too have now been disobedient in order that by the mercy shown to you they also may now receive mercy. For God has consigned all to disobedience, that he may have mercy on all."

Therefore I hold that, at the very least, the concept of election as expressed by Paul does not reflect eternal salvation, or its absence; but the work of God in the lives of some for the age towards an ultimately redemptive purpose for all.

One last thing: Paul explicitly doesn't use the word "elect" to refer to Gentiles; only Israel.

Regarding "Living in obedience to the Word of God"

I note here only to claim this commandment as expressed:

pursue truth, even when such pursuit is costly, and defend truth when it is challenged, recognizing that truth is in order to goodness and that its preservation matters;

1

ECO Constitution (Polity and Essential Tenets)

on the defiance of expectations in Epic Mickey

I love it when a game defies my expectations sufficiently to make me uncomfortable. If a game can make me feel discomfort, there's something worth considering there--something that merits deeper understanding. There are things that a game can say about the player that couldn't be said in any other medium, and sometimes the message is all the more effective when I'm caught vulnerably by my own assumptions.

My first experience with this kind of discomfort came during my first playthrough of Mass Effect 2. Near the end of the game Shepard--the protagonist and player character--has accumulated a band of compatriots toward a final mission to stop the Reapers; but just before that final mission, the ship's crew is abducted by the Collectors.

Mass Effect is a role-playing game, and understanding genre tropes is an important aspect of interpreting a work and its impact. Many fantasy role-playing games have a similar plot point: the hero has completed his preparations. He is near the end of his journey. The stakes have never been higher, and the situation is urgent: Meteor is about to crash into Midgar; Gannon is about to destroy Hyrule; or, as is the case in Mass Effect 2, the Reapers are preparing to consume all life in the galaxy.

But role-playing games have another trope: the side quest. These are typically available throughout the game; but the moment before the final climactic mission is the last chance in most RPGs to finish up any side-quests that have been left undone. In Mass Effect 2, side quests take the form of "loyalty missions"--character-specific missions that provide additional backstory and inter-personal context for the members of your cohort. Completing these missions also improves an invisible but important loyalty stat which affects how team members respond to Shepard.

I'm a bit of a completionist, so I took this opportunity before the final mission to complete all of these loyalty missions. I did this all while I poked fun at the video game tropes on display: the big bad, poised and ready to attack; we, the player character, traipsing about the galaxy on unrelated menial missions. After all: Meteor won't crash into Midgar until the plot is ready for it; Gannon never will destroy Hyrule; and the Collectors will wait around until Shepard is good and ready to face them.

But that's not what happens. When I finally did embark on the final mission to stop the Collectors and rescue the crew, we found only Dr. Chakwas alive.

They're gone. All of them. I'm the only one left.

I watched them die. They were... processed--rendered down into some kind of raw genetic paste and pumped through these tubes.

What took you so long, Shepard? You could have saved them if you'd gotten here sooner!

Dr. Chakwas' words are true. While I was taking my time maximizing a gamified loyalty stat, the game was monitoring my activities after the abduction of the crew. Leave immediately, and you may save them all; but the longer you wait, the more of them die.

With this, the game defies trope, and punishes the player for approaching the work as a simple genre piece. In reality, Shephard would never meander about, but would prioritize the mission and the retrieval of the crew. But it's just a game, right?

But it is the fact that it is a game that enables this experience. A character in a book won't die because you waited a week to read the last chapter; but in my Mass Effect, we lost the entire crew: named characters with backstories and interactions that had developed throughout the game. And the consequences don't end there, either: Mass Effect is a three-part series, and the death of these characters carries on even into the next game.

Mass Effect 2 expects you to care about its characters; and, if you don't--if you just play it like a video game, expecting it to behave like other video games--it punishes you for it by taking those characters away.

But even then, I never would have expected to feel this same defiance of expectation from Epic Mickey.

Small Pete

Epic Mickey could hardly be more different from Mass Effect. It's a third-person platforming character action game with light adventure elements. It's a children's game, contrasted with media hysteria regarding Mass Effect's "mature" content. More immediately, Mass Effect is a good game; and I definitely wasn't enjoying Epic Mickey.

But I have kids, and those kids were excited about Mickey, so I was playing through it as a social activity with them. I really wasn't taking it seriously: jump on the platforms; paint the environment with the magic paintbrush; mash "A" when characters talk to you; make "progress."

Not too far into the game, I ran into a character called "Small Pete," a rendition of a classic Disney character, "Pete," who often serves as the antagonist of a Mickey Mouse story.

I spent years getting' along with gremlins. Only had to knock 'em around on occasion. Then, the ONE TIME I crash my boat into their village, they seem to think I'm some kinda villain.

Not that I give two hoots what they think, but it WAS an accident. And my ship's log will prove it.

Those little monsters won't let me near the wreck to get it, though. Hmm... I'll bet they'd let you.

I was immediately suspicious of Small Pete's story (assuming I paid it any mind at all, beyond just mashing "A"); but we got a quest objective and moved on.

I continued jumping between platforms, tagging the environment, and mashing "A," until we met Gremlin Shaky.

Gremlin Shaky offers to trade a pin for Pete's ship's log

I smell treasure! You found it!

How's about you trade me that ship's log for a flashy new pin?

I still wasn't paying attention. Why would I? The platforming was mediocre. The characters were either flat or carbon-copies of each other. Each gremlin looks the same as all the others. So I interpreted this interaction with the same level of attention that I would pay to most collect-a-thon games:

"Oh, right. The ship's log. I guess I picked it up along the way. Pete wanted us to get that for him, right? What was that for, again? This must be the guy I'm supposed to give it to. And when I do I'll get a pin as a reward, eh? Ok, I guess it's a collectible, so I guess I'll do it."

Thank you very much. This will make excellent reading. Here's your pin.

But that wasn't all there was to it. Immediately after finishing the interaction I received a "quest failed" notification.

Quest Failed, find Small Pete's Ship's log

I kept playing, just accepting that I had failed the quest, and probably missed out on some minimal benefit. But something about the interaction bothered me. Small Pete seemed to be a character teetering on the edge of villany. He was willing to "knock 'em around on occasion"; but he seemed genuinely (if covertly) concerned with clearning his name. He wasn't a villain yet. He was a bully.

So you left my ship's log with those grubby gremlins, eh? Well, here's a little taste of what happens to those who cross me!

I had betrayed Small Pete. I hadn't done it out of malice. Worse: I had paid him no mind. He asked for help, and I ignored him. Eventually, I traded his name for a collectible pin I didn't even care about. In a literal sense, I had turned him into a villain: Small Pete had become a video-game boss, generating a combat encounter to punctuate the chapter.

I found myself considering what it would take to correct this mistaken path through the game's narrative. I had overwritten my save several times since I had given Pete's ship's log to Gremlin Shaky. I would have to start the game over from the beginning.

The very fact that I was considering it made me uncomfortable. I did not enjoy playing this game. But, for the sake of a fictional character as absurd as Small Pete, I was considering sacrificing some portion of my time in pursuit of his redemption.

I tell my kids that it's part of a parent's job to give them consequences that they can learn from and grow through, while protecting them from consequences that they can't recover from, if only for a time. In a small, but very real, way, Epic Mickey was that for me. I ignored a call for help. I was careless. A character was treated unjustly, and that injustice led him to embrace his own darker tendencies.

I never did go back and do right by Small Pete. In fact, I don't think I played the game again after that. I'm sure we were called down for dinner, and then distracted by another game I enjoyed playing more. But I still think about Small Pete, about the time I didn't pay enough attention, and about the consequences that might develop when I allow myself to become just a little bit more callous to the world around me.

A prayer from MLK day

Chris Hill, a member of our church, shared this prayer in the context of the then-upcoming presidential inauguration and Martin Luther King, Jr. Day.

In a time of self-described conservatism vs liberalism, I found it remarkably neither, but only Christian.

Father we approach you today with many gratitudes, thoughts and requests. As a community we first empty our hands of those things that do not belong to us. We lay down our worldly possessions, those things that you have loaned us. We lay down our worldly successes and failures, which do not define us. And we lay down the pride that so easily devours us and those we live around. We bring before you our weakness, and thank you for it. We understand that without it, we would not see our desperation for you.

Behold us, Father, as we Behold you. See us. Understand us. Know our Human hearts. Together, today, we want to bring before you two events that we will undoubtedly carry with us this week. We bring these before you in faith that you are worth approaching and worth glorifying. We also bring these before you recognizing that only you are Good.

As Barak Obama and his family leave the presidency, we thank you for the ways you have worked during the 8 years he has served our country. Would you bless his family as they adjust to life outside of the white house. And as Donald Trump and his family transition into the presidency, we pray with hope and expectation that you would use them to strengthen the Kingdom of Heaven. Give us the strength to bear with one another in love and patience.

As we remember the life and work of Martin Luther King Jr. would you have mercy on us. Will you call us out of our complacency as middle to upper class white America to gaze across the scene and remember what’s painfully obvious and self-evident. That the person we see with a different skin color than our own is, in fact, a person. An image bearer. A jar of clay containing my blood, and your Holy Spirit. Today Father, we remember that much of what happened during the Civil Rights movement was guided and fueled by your Spirit. Thank you for gifting us a man who was able to give an ear to you and an ear to the people while persevering through an agony and persecution that few of us in this room understand. Thank you for the lives of our brothers and sisters who have fought to level our view of humanity. But if we are going to acknowledge what has been done Father, we will also acknowledge the work that still needs to be done. Would you equip those of us who are not white with hope, strength, and perseverance. Would you equip those of us who are white with ears to hear and eyes to see your children.

We believe that you, Holy Spirit, are the only one who can bring reconciliation between us and our neighbor. So we lean into you, ready to be led. Jesus, you are all and you are in all. We ask these things in your perfect name. Amen.

Best possible experience reading Silence

I read Shūsaku Endō's Silence as part of a book club with my pastor and a few other members of our church. The book was scheduled coming out of the holiday season so that if we didn't have time or motivation to read we could at least all watch the new film together and discuss the story.

I hadn't managed to finish the book by the time I reached the theatre. When I left Rodrigues (on the page) he was being brought before the authorities for interrogation and defending the purpose of the church in Japan.

When we passed that moment in the film, I appreciated the fresh perspective of watching the story play out on screen, but I realized that I had actually managed to remain unspoiled on the remaining plot. When Rodrigues was climatically confronted with the decision to trample on the fumi-e or allow others to suffer, I was overwhelmed by the cumulative anticipation of not one but two readings: I've never before experience so palpable a moment of, "I have no idea what is about to happen."

I've wrestled for years with the question of whether it would be sin to accept damnation--defined here as separation from God--for the sake of another's salvation. Self-sacrifice is good; but might such a sacrifice be construed an elevation of man over God?

Through Silence I've concluded that such a sacrifice is good, but that its consequence is inherent: damnation. In fact, in Christian theology, this is the sacrifice Christ made for us, and only Christ could both endure all of our damnation and still remain blameless.

And still, salvation through Christ is sufficient even for those who would deny him for the sake of others. It's obvious when you consider the apostle Peter, who famously denied association with Christ three times; but I hadn't before seen this portrayed so vividly, and the story of Peter is perhaps too familiar to be so impactful. It's easy to vilify Kichijiro when he repeatedly betrays the Kirishitans, and to become dismissive as Rodrigues when the acts of confession and atonement becomes rote and seemingly meaningless; but Rodrigues and Kichijiro both demonstrate what Peter did in the Passion: that Christ offers forgiveness and reconciliation even to those who betray him.

After more consideration, though, I fear that the Silence that has affected me so deeply exists only in my own heart and mind. The book, perhaps more than the film, might actually be more concerned with a technical definition of apostasy and Rodrigues' prideful self-image as a Christ figure than it is with deeper questions of the nature of salvation. He's a bit like Job, in a way: so assured of his blamelessness and rite of martyrdom that he can't see how he himself falls short of the perfection he aspires to.

But I still can't stop thinking about Silence, and I'm struck more than ever by the potential discontinuity between the story the author wrote and the story in my mind.

I can't imagine what Silence must mean to a Japanese Buddhist. From my western Christian perspective the story is familiar enough, and I implicitly understand the context and motivation of Rodrigues and his fellow Jesuits. But what I read was an English translation from original Japanese, ostensibly intended for a Japanese audience, and that presumably non-Christian. How could a Japanese person, with no experience with the church or Christ, possibly react to any of this?

The SSH agent

This is one part in a series on OpenSSH client configuration. Also read Elegant OpenSSH Configuration and Secure OpenSSH Defaults.

As part of another SSH client article we potentially generated a new ssh key for use in ssh public-key authentication.

$ ssh-keygen -t rsa -b 4096 # if you don't already have a key

SSH public-key authentication has intrinsic benefits; but many see it as a mechanism for non-interactive login: you don’t have to remember, or type, a password.

This behavior is dependent, however, on having a non-encrypted private key. This is a security risk, because the non-encrypted private key may be compromised, either by accidential mishandling of the file or by unauthorized intrusion into the client system. In almost all cases, ssh private keys should be encrypted with a passphrase.

$ ssh-keygen -t rsa -b 4096 -f test
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

If you already have a passphrase that is not encrypted, use the -p argument to ssh-keygen to set one.

$ ssh-keygen -p -f ~/.ssh/id_rsa

Now the private key is protected by a passphrase, which you’ll be prompted for each time you use it. This is better than a password, because the passphrase is not transmitted to the server; but we’ve lost the ability to authenticate without having to type anything.

ssh-agent

OpenSSH provides a dedicated agent process for the sole purpose of handling decrypted ssh private keys in-memory. Most Unix and Linux desktop operating systems (including OS X) start and maintain a per-user SSH agent process automatically.

$ pgrep -lfu $USER ssh-agent
815 /usr/bin/ssh-agent -l

Using the ssh-add command, you can decrypt your ssh private key by inputing your passphrase once, adding the decrypted key to the running agent.

$ ssh-add ~/.ssh/id_rsa # the path to the private key may be omitted for default paths
Enter passphrase for /Users/user1234/.ssh/id_rsa:
Identity added: /Users/user1234/.ssh/id_rsa (/Users/user1234/.ssh/id_rsa)

The decrypted private key remains resident in the ssh-agent process.

$ ssh-add -L
ssh-rsa [redacted] /Users/user1234/.ssh/id_rsa

This is better than a non-encrypted on-disk private key for two reasons: first the decrypted private key exists only in memory, not on disk. This makes is more difficult to mishandle, including the fact that it cannot be recovered without re-inputing the passphrase once the workstation is powered off. Second, client applications (like OpenSSH itself) no longer require direct access to the private key, encrypted or otherwise, nor must you provide your (secret) key passphrase to client applications: the agent moderates all use of the key itself.

The default OpenSSH client will use the agent process identified by the SSH_AUTH_SOCK environment variable by default; but you generally don’t have to worry about it: your workstation environment should configure it for you.

$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.L311i5Nw5J/Listeners

At this point, there’s nothing more to do. With your ssh key added to the agent process, you’re back to not needing to type in a password (or passphrase), but without the risk of a non-encrypted private key stored permanently on disk.

Secure OpenSSH defaults

This is one part in a series on OpenSSH client configuration. Also read Elegant OpenSSH configuration and The SSH agent.

It’s good practice to harden our ssh client with some secure “defaults”. Starting your configuration file with the following directives will apply the directives to all (*) hosts.

(These are listed as multiple Host * stanzas, but they can be combined into a single stanza in your actual configuration file.)

If you prefer, follow along with an example of a complete ``~/.ssh/config` file <link://listing/secure-openssh-defaults/ssh_config>`__.

Require secure algorithms

OpenSSH supports many encryption and authentication algorithms, but some of those algorithms are known to be weak to cryptographic attack. The Mozilla project publishes a list of recommended algorithms that exclude algorithms that are known to be insecure.

Host *
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1

(More information on the the available encryption and authentication algorithms, and how a recommended set is derived, is available in this fantastic blog post, “Secure secure shell.”)

Hash your known_hosts file

Every time you connect to an SSH server, your client caches a copy of the remote server’s host key in a ~/.ssh/known_hosts file. If your ssh client is ever compromised, this list can expose the remote servers to attack using your compromised credentials. Be a good citizen and hash your known hosts file.

Host *
HashKnownHosts yes

(Hash any existing entries in your ~/.ssh/known_hosts file by running ssh-keygen -H. Don’t forget to remove the backup ~/.ssh/known_hosts.old.)

$ ssh-keygen -H
$ rm -i ~/.ssh/known_hosts.old

No roaming

Finally, disable the experimental “roaming” feature to mitigate exposure to a pair of potential vulnerabilities, CVE-2016-0777 and CVE-2016-0778.

Host *
UseRoaming no

Dealing with insecure servers

Some servers are old enough that they may not support the newer, more secure algorithms listed. In the RC environment, for example, the login and other Internet-accessible systems provide relatively modern ssh algorithms; but the host in the rc.int.colorado.edu domain may not.

To support connection to older hosts while requiring newer algorithms by default, override these settings earlier in the configuration file.

# Internal RC hosts are running an old version of OpenSSH
Match host=*.rc.int.colorado.edu
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96

Elegant OpenSSH configuration

This is one part in a series on OpenSSH client configuration. Also read Secure OpenSSH defaults and The SSH agent.

The OpenSSH client is very robust, verify flexible, and very configurable. Many times I see people struggling to remember server-specific ssh flags or arcane, manual multi-hop procedures. I even see entire scripts written to automate the process.

But the vast majority of what you might want ssh to do can be abstracted away with some configuration in your ~/.ssh/config file.

All (or, at least, most) of these configuration directives are fully documented in the ``ssh_config` manpage <http://man.openbsd.org/ssh_config>`__.

If you prefer, follow along with an example of a complete ``~/.ssh/config` file <link://listing/elegant-openssh-configuration/ssh_config>`__.

HostName

One of the first annoyances people have–and one of the first things people try to fix–when using a command-line ssh client is having to type in long hostnames. For example, the Research Computing login service is available at login.rc.colorado.edu.

$ ssh login.rc.colorado.edu

This particular name isn’t too bad; but coupled with usernames and especially when used as part of an scp, these fully-qualified domain names can become cumbersome.

$ scp -r /path/to/src/ user1234@login.rc.colorado.edu:dest/

OpenSSH supports host aliases through pattern-matching in Host directives.

Host login*.rc
HostName %h.colorado.edu

Host *.rc
HostName %h.int.colorado.edu

In this example, %h is substituted with the name specified on the command-line. With a configuration like this in place, connections to login.rc are directed to the full name login.rc.colorado.edu.

$ scp -r /path/to/src/ user1234@login.rc:dest/

Failing that, other references to hosts with a .rc suffix are directed to the internal Research Computing domain. (We’ll use these later.)

(The .rc domain segment could be moved from the Host pattern to the HostName value; but leaving it in the alias helps to distinguish the Research Computing login nodes from other login nodes that you may have access to. You can use arbitrary aliases in the Host directive, too; but then the %h substitution isn’t useful: you have to enumerate each targeted host.)

User

Unless you happen to use the same username on your local workstation as you have on the remove server, you likely specify a username using either the @ syntax or -l argument to the ssh command.

$ ssh user1234@login.rc

As with specifying a fully-qualified domain name, tracking and specifying a different username for each remote host can become burdensome, especially during an scp operation. Record the correct username in your ~/.ssh/config file in stead.

Match host=*.rc.colorado.edu,*.rc.int.colorado.edu
User user1234

Now all connections to Research Computing hosts use the specified username by default, without it having to be specified on the command-line.

$ scp -r /path/to/src/ login.rc:dest/

Note that we’re using a Match directive here, rather than a Host directive. The host= argument to Match matches against the derived hostname, so it reflects the real hostname as determined using the previous Host directives. (Make sure the correct HostName is established earlier in the configuration, though.)

ControlMaster

Even if the actual command is simple to type, authenticating to the host may be require manual intervention. The Research Computing login nodes, for example, require two-factor authentication using a password or pin coupled with a one-time VASCO password or Duo credential. If you want to open multiple connections–or, again, copy files using scp–having to authenticate with multiple factors quickly becomes tedious. (Even having to type in a password at all may be unnecessary; but we’ll assume, as is the case with the Research Computing login example, that you can’t use public-key authentication.)

OpenSSH supports sharing a single network connection for multiple ssh sessions.

Match host=login.rc.colorado.edu
ControlMaster auto
ControlPath ~/.ssh/.socket_%h_%p_%r
ControlPersist 4h

With ControlMaster and ControlPath defined, the first ssh connection authenticates and establishes a session normally; but future connections join the active connection, bypassing the need to re-authenticate. The optional ControlPersist option causes this connection to remain active for a period of time even after the last session has been closed.

$ ssh login.rc
user1234@login.rc.colorado.edu's password:
[user1234@login01 ~]$ logout

$ ssh login.rc
[user1234@login01 ~]$

(Note that many arguments to the ssh command are effectively ignored after the initial connection is established. Notably, if X11 was not forwarded with -X or -Y during the first session, you cannot use the shared connection to forward X11 in a later session. In this case, use the -S none argument to ssh to ignore the existing connection and explicitly establish a new connection.)

ProxyCommand

But what if you want to get to a host that isn’t directly available from your local workstation? The hosts in the rc.int.colorado.edu domain referenced above may be accessible from a local network connection; but if you are connecting from elsewhere on the Internet, you won’t be able to access them directly.

Except that OpenSSH provides the ProxyCommand option which, when coupled with the OpenSSH client presumed to be available on the intermediate server, supports arbitrary proxy connections through to remotely-accessible servers.

Match host=*.rc.int.colorado.edu
ProxyCommand ssh -W %h:%p login.rc.colorado.edu

Even though you can’t connect directly to Janus compute nodes from the Internet, for example, you can connect to them from a Research Computing login node; so this ProxyCommand configuration allows transparent access to hosts in the internal Research Computing domain.

$ ssh janus-compile1.rc
[user1234@janus-compile1 ~]$

And it even works with scp.

$ echo 'Hello, world!' >/tmp/hello.txt
$ scp /tmp/hello.txt janus-compile1.rc:/tmp
hello.txt                                     100%   14     0.0KB/s   00:00

$ ssh janus-compile1.rc cat /tmp/hello.txt
Hello, world!

Public-key authentication

If you tried the example above, chances are that you were met with an unexpected password prompt that didn’t accept any password that you used. That’s because most internal Research Computing hosts don’t actually support interactive authentication, two-factor or otherwise. Connections from a CURC login node are authorized by the login node; but a proxied connection must authenticate from your local client.

The best way to authenticate your local workstation to an internal CURC host is using public-key authentication.

If you don’t already have an SSH key, generate one now.

$ ssh-keygen -t rsa -b 4096 # if you don't already have a key

Now we have to copy the (new?) public key to the remote CURC ~/.ssh/authorized_keys file. RC provides a global home directory, so copying to any login node will do. Targeting a specific login node is useful, though: the ControlMaster configuration for login.rc.colorado.edu tends to confuse ssh-copy-id.

$ ssh-copy-id login01.rc

(The ssh-copy-id command doesn’t come with OS X, but theres a third-party port available on GitHub. It’s usually available on a Linux system, too. Alternatively, you can just edit ~/.ssh/authorized_keys manually.)