SSH Tools :: Keychain

If you are a sysadmin that manages Linux systems, you’ve probably found that using ssh keys and keychain a must have.  If not, here are ways you can get setup.

CentOS/RHEL users can use rpmforge’s software repository to yum install keychain as opposed to building it themselves.  The CentOS wiki has very easy to follow documentation on how to do this.

For OSX, this is a pretty straight forward install from Funtoo’s keychain wiki page, with a .bash_profile update to make life easier for you.

After you leverage rpmforge’s software repo and install keychain, you will notice a .keychain directory in your home directory.  Generate a key for yourself via ssh-keygen.  You can specify key types as well (e.g. ssh-keygen -t dsa, the default generates rsa).

Next, you will need to copy your .ssh/ key values over to a host you want to leverage ssh keys, and keychain with.

Manual edit/OSX solution:

Edit .ssh/authorized_keys on the remote host with your key (e.g. rsync -av –progress remotehost.fqdn:/home/user/.ssh/, then cat >> authorized_keys in the your .ssh directory)

On Linux simply utilize ssh-copy-id remotehost.fqdn.

OSX users can edit as noted above, or can create their own ssh-copy-id script.  You can also try trusting bastardized OSX ssh-copy-id scripts from the web.  Be sure to scour the code at your own risk if you decide to go this route.

Once your keys are setup, we can go ahead and start utilizing keychain.

keychain -Q –ignore-missing –nogui –timeout  ~/.ssh/id_rsa

  • –ignore-missing doesn’t warn if some keys can’t be found.  This is useful if you have a shared .bash_profile and your keys aren’t available on every machine keychain is run against.  
  • –nogui doesn’t honor SSH_ASKPASS, if it is set, it will cause the ssh-add to prompt on the terminal instead of any graphical program.  
  • -Q/–quick will take any existing ssh-agent process and use it.  

You can explore additional options in the keychain man pages.

Personally, I prefer using an alias in my .bashrc/.bash_profile:

alias keychain=’keychain -Q –ignore-missing –nogui –timeout 86400 ~/.ssh/id_dsa ; . ~/.keychain/myhostname.fqdn-sh’.

The funtoo keychain wiki page suggests updating your .bashrc/.bash_profile with eval:

eval `keychain –eval –agents ssh id_dsa`

For OSX:

eval `keychain –eval –agents ssh –inherit any id_dsa`

Make sure to reference id_rsa if it is the key type you generated.

Now that you’re all setup, source your .bashrc or .bash_profile to finalize everything.  You can now start ssh’ing to hosts you have your keys setup on without a password or passphrase.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s