keychain vs ssh askpass

jithin1987 · 2009-11-06 18:12:05

I have a doubt on keychain and ssh askpass. Does not both do the same thing, adding ssh keys to ssh-agent. AFAIK ssh askpass like ksshaskpass is triggered by ssh-add command and loads the keys to ssh-agent. Where as keychain works differently.

But is not the end result same?

bender02 · 2009-11-06 18:29:11

As far as I know, the end result is the same - a ssh key(s) is added to an agent (so that ssh can use the key, you don't have to type the password or the key password again).

jithin1987 · 2009-11-06 18:33:07

I think gnome has better support in this regard. When I used gnome only when I use ssh command in terminal it unlocks the keys and adds it to the gnome-kering-manager which has a keychain in built. In kde the closes thing is ksshaskpass. But I was not able to replicate the gnome behavior - of adding ssh keys to agent only when ssh is used for first time - . I had to run it on kde login.

bender02 · 2009-11-06 18:51:23

Well the usual gnome behavior is that the login password unlocks the login keyring, which might contain the ssh keys, which are then automatically used with ssh (so you don't have to type in the key password at all - it's unlocked on login).

There are a couple more options (I've used most of them at various times):
- unlocking the ssh key on login with pam_ssh (uses your login password; the result is similar as with gnome described above)
- using gnome-keyring-daemon even without gnome, run with help of another pam_ module, but I can't remember which one
- using gpg-agent to take care of ssh keys as well (that's my current setup). The behavior is that on the first use of the key, it asks for the password, then it's stored in the keyring, (with configurable timeout). The password dialogs are implemented in console, gtk or qt (you can choose).

jithin1987 · 2009-11-07 01:29:23

pam_ssh works only if you login password and ssh passphrase is same right ?

Can you tell me how you use gpg agent to take care of ssh keys?

bender02 · 2009-11-07 07:54:39

Yes, pam_ssh works only if the key and the login passwords are the same.

About gpg-agent:
I have this in my .zshrc:

# start gpg-agent if it's not running
if [ -z "`pidof gpg-agent`" ]; then
    eval "$(gpg-agent --daemon --write-env-file --enable-ssh-support)"
fi;
# source gpg info
if [ -f "${HOME}/.gpg-agent-info" ]; then
    sed -i '/^[SG]/s/^/export /' "${HOME}/.gpg-agent-info"
    . "${HOME}/.gpg-agent-info"
fi;

gpg-agent by default writes the environment variables that need to be set to ~/.gpg-agent-info. The sed line just puts 'export ' in the beginning of each line, if it's not there already.
You can configure gpg-agent some more by editing ~/.gnupg/gpg-agent.conf. For instance, I have there:

pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 3600
write-env-file
disable-scdaemon
allow-mark-trusted

See 'man gpg-agent' for the whole list. Before you can first use a ssh key, you need to 'ssh-add' it to gpg-agent.

man gpg-agent wrote:

SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
Once a key has been added to the gpg-agent this way, the gpg-agent will be ready to use the key.

I like this approach since it also takes care of my gpg keys.

mikesd · 2009-11-07 08:13:40

keychain has a couple of unique features compared to using ssh-agent directly. Well suited to automating tasks with cron without using a non password protected key.

Full here

jithin1987 · 2009-11-07 13:14:59

Right now I am using ksshaskpass and its working nicely.

@bender02 does gpg-agent ask for passphrase dialog only when the first time ssh command is invoked.

bender02 · 2009-11-07 14:51:17

jithin1987 wrote:

@bender02 does gpg-agent ask for passphrase dialog only when the first time ssh command is invoked.

Yes, although there's a timeout (in seconds) after which it forgets it. The setting is called 'default-cache-ttl-ssh'.

jithin1987 · 2009-11-07 17:10:24

Ok. Thanks for you help

Arch Linux

#1 2009-11-06 18:12:05

keychain vs ssh askpass

#2 2009-11-06 18:29:11

Re: keychain vs ssh askpass

#3 2009-11-06 18:33:07

Re: keychain vs ssh askpass

#4 2009-11-06 18:51:23

Re: keychain vs ssh askpass

#5 2009-11-07 01:29:23

Re: keychain vs ssh askpass

#6 2009-11-07 07:54:39

Re: keychain vs ssh askpass

#7 2009-11-07 08:13:40

Re: keychain vs ssh askpass

#8 2009-11-07 13:14:59

Re: keychain vs ssh askpass

#9 2009-11-07 14:51:17

Re: keychain vs ssh askpass

#10 2009-11-07 17:10:24

Re: keychain vs ssh askpass

Board footer