Using Keychain for SSH logins

I would like to make a short intro to Keychain, this utility makes handling SSH keys easier and also saves you having to type in your passphrase every time you SSH to a remote machine using public key authentication.

Most Linux distributions and BSD variants already have Keychain packaged or easily installable in some way. I will leave installing keychain as an exercise to the reader. Also, I recommend following Mr Robert's fine guide on using SSH keys before starting to setup Keychain.

Once you have your SSH keys configured and Keychain installed then using keychain is quite easy. The following steps are required :

  • Initial Test
  • Modify your shell startup scripts to automatically start Keychain

Initial Test

So, our first step is to manually step through the process of feeding Keychain our SSH keys :

[email protected]:~$ keychain ~/.ssh/id_rsa

KeyChain 2.6.6; Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL

* Initializing /home/keychain/.keychain/silverado-sh file...
* Initializing /home/keychain/.keychain/silverado-csh file...
* Initializing /home/keychain/.keychain/silverado-fish file...
* Starting ssh-agent
* Adding 1 ssh key(s)...
Enter passphrase for /home/keychain/.ssh/id_rsa:
Identity added: /home/keychain/.ssh/id_rsa (/home/keychain/.ssh/id_rsa)

[email protected]:~$

When it asks for your passphrase, enter the passphrase you used during key creation. Once this is successfully completed you need to setup the shell environment. As you can see, Keychain creates many files that contain the required environment variables to make the ssh-agent information accessible across logins and shell instances. You will need to source the appropriate file, depending on your shell. I am using Bash, so I will use the silverado-sh file. Another point is that the file name contains your hostname so if your host name is "mymachine" then the file will be mymachine-sh in the ~/.keychain directory.

The method by which we will acquire the variables stored in the silverado-sh (or whatever it is called on your system) will be by sourcing the files. Like so :

[email protected]:~$ source ~/.keychain/silverado-sh

and then to verify the variables are there :

[email protected]:~$ env | grep SSH_A
[email protected]:~$

Now try and log into a machine that uses your public key for authentication, you should not be prompted for your passphrase.

Automatically Starting Keychain and Sourcing Files

Now we don't feel like doing that every time so we can put that in our shell initialisation file, in my case ~/.bashrc. Insert the following, replacing "silverado-sh" with your own Keychain environment file :

keychain ~/.ssh/id_rsa
source ~/.keychain/silverado-sh

Tada! Finished. But for the full Keychain treatment I refer you to the Gentoo Documentation.