[portland] keychain and ssh-agent: Use ssh keys more easily

Igal Koshevoy igal at pragmaticraft.com
Wed Feb 10 05:12:25 CET 2010 

Chris Pitzer talked about ssh-copy-id, you can find his notes online at:
http://blog.christopherpitzer.com/2010/ssh-copy-id/

I mentioned that it's possible to use a persistent program to load your
SSH keys,   which will ask you to enter the passwords for your keys, and
then keep them loaded in memory so you don't have to keep re-entering
the key passwords.

"keychain" is a third-party program for use with OpenSSH to keep your
credentials in memory and accessible across logins, and continues to run
until the machine is shutdown or the keychain or agents are deliberately
stopped. MacOS and some UNIX distros may provide a specialized way to do
this. Details on using the keychain program:
http://www.gentoo.org/proj/en/keychain/

Typical usage from a bash shell:
    # Start the keychain and add your keys, which may ask for passwords -- I
    # keep my keys in ~/.ssh and give them names ending with "_rsa" and
"_dsa":
    keychain ~/.ssh/*_{dsa,rsa}

    # Load the credentials into a session (the file sourced is created
by "keychain"):
    . ~/.keychain/${HOSTNAME}-sh*

    # You can combine these steps together by using a single bash function,
    # that can start keychain if needed and load your credentials. You
can run
    # this function from .Xsession and again any time you need to load
    # credentials from a session that's not managed by X (e.g., you SSH
into a
    # machine already running your keychain). Here's the function:
    keychainize () { keychain ~/.ssh/*_{dsa,rsa}; .
~/.keychain/${HOSTNAME}-sh*; }


If you're looking for something more lightweight and standard, you can
use "ssh-agent", which is what "keychain" is providing a wrapper for.
"ssh-agent" is a program that comes with OpenSSH and keeps your
credentials in memory. It lets you enter the passwords for your SSH keys
once on startup and keep using the keys without passwords for the
duration of your session. For details read:
http://www.securityfocus.com/infocus/1812

Typical usage from a bash shell:
    # Start the agent, it's not smart enough to realize one's already
running
    eval `ssh-agent`
    # Add your keys to the agent, which may ask for passwords
    ssh-add ~/.ssh/*_{dsa,rsa}
    # See what keys you've got loaded, if curious
    ssh-add -l
    # Use your credentials without having to re-enter passwords
    ssh myusername at myhostname

-igal

More information about the Portland mailing list