Using Keychain for SSH logins

I would like to make a short intro to Keychain, this utility makes handling SSH keys easier and also saves you having to type in your passphrase every time you SSH to a remote machine using public key authentication.

Most Linux distributions and BSD variants already have Keychain packaged or easily installable in some way. I will leave installing keychain as an exercise to the reader. Also, I recommend following Mr Robert's fine guide on using SSH keys before starting to setup Keychain.

Once you have your SSH keys configured and Keychain installed then using keychain is quite easy. The following steps are required :

  • Initial Test
  • Modify your shell startup scripts to automatically start Keychain

Initial Test

So, our first step is to manually step through the process of feeding Keychain our SSH keys :

[email protected]:~$ keychain ~/.ssh/id_rsa

KeyChain 2.6.6; http://www.gentoo.org/proj/en/keychain/ Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL

* Initializing /home/keychain/.keychain/silverado-sh file...
* Initializing /home/keychain/.keychain/silverado-csh file...
* Initializing /home/keychain/.keychain/silverado-fish file...
* Starting ssh-agent
* Adding 1 ssh key(s)...
Enter passphrase for /home/keychain/.ssh/id_rsa:
Identity added: /home/keychain/.ssh/id_rsa (/home/keychain/.ssh/id_rsa)

[email protected]:~$

When it asks for your passphrase, enter the passphrase you used during key creation. Once this is successfully completed you need to setup the shell environment. As you can see, Keychain creates many files that contain the required environment variables to make the ssh-agent information accessible across logins and shell instances. You will need to source the appropriate file, depending on your shell. I am using Bash, so I will use the silverado-sh file. Another point is that the file name contains your hostname so if your host name is "mymachine" then the file will be mymachine-sh in the ~/.keychain directory.

The method by which we will acquire the variables stored in the silverado-sh (or whatever it is called on your system) will be by sourcing the files. Like so :

[email protected]:~$ source ~/.keychain/silverado-sh

and then to verify the variables are there :

[email protected]:~$ env | grep SSH_A
SSH_AGENT_PID=24627
SSH_AUTH_SOCK=/tmp/ssh-EUqFg24626/agent.24626
[email protected]:~$

Now try and log into a machine that uses your public key for authentication, you should not be prompted for your passphrase.

Automatically Starting Keychain and Sourcing Files

Now we don't feel like doing that every time so we can put that in our shell initialisation file, in my case ~/.bashrc. Insert the following, replacing "silverado-sh" with your own Keychain environment file :

keychain ~/.ssh/id_rsa
source ~/.keychain/silverado-sh

Tada! Finished. But for the full Keychain treatment I refer you to the Gentoo Documentation.

Comments

Interesting idea. The process

Interesting idea. The process is just easy to follow. - Gary McClure

I like the information. I

I like the information. I wonder what would be the percentage of error when this process is use. - Gary McClure

Hi Fred, What happens when

Hey Robert, It will not ask

Hey Robert,

It will not ask for your passphrase more than once per session, session being the lifetime of ssh-agent running on the machine. Usually you only need to enter your password once until the machine reboots again.

Functionally there is no difference between Keychain and your ssh agent trick so either can be used. Whichever you prefer :-) I think Keychain has some more bells and whistles for some things but I don't use those just yet.

Cheers,

Fred.

That depends on the options

That depends on the options you give.
I like to use the --timeout option where it will ask for your pass phrase after the expiry, rather than depend on a reboot :)

Cheers for the info.

About Consultancy Articles Contact




References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]