You are not logged in.
I have a doubt on keychain and ssh askpass. Does not both do the same thing, adding ssh keys to ssh-agent. AFAIK ssh askpass like ksshaskpass is triggered by ssh-add command and loads the keys to ssh-agent. Where as keychain works differently.
But is not the end result same?
Thanks
Jithin
Offline
As far as I know, the end result is the same - a ssh key(s) is added to an agent (so that ssh can use the key, you don't have to type the password or the key password again).
Offline
I think gnome has better support in this regard. When I used gnome only when I use ssh command in terminal it unlocks the keys and adds it to the gnome-kering-manager which has a keychain in built. In kde the closes thing is ksshaskpass. But I was not able to replicate the gnome behavior - of adding ssh keys to agent only when ssh is used for first time - . I had to run it on kde login.
Thanks
Jithin
Offline
Well the usual gnome behavior is that the login password unlocks the login keyring, which might contain the ssh keys, which are then automatically used with ssh (so you don't have to type in the key password at all - it's unlocked on login).
There are a couple more options (I've used most of them at various times):
- unlocking the ssh key on login with pam_ssh (uses your login password; the result is similar as with gnome described above)
- using gnome-keyring-daemon even without gnome, run with help of another pam_ module, but I can't remember which one
- using gpg-agent to take care of ssh keys as well (that's my current setup). The behavior is that on the first use of the key, it asks for the password, then it's stored in the keyring, (with configurable timeout). The password dialogs are implemented in console, gtk or qt (you can choose).
Offline
pam_ssh works only if you login password and ssh passphrase is same right ?
Can you tell me how you use gpg agent to take care of ssh keys?
Thanks
Jithin
Offline
Yes, pam_ssh works only if the key and the login passwords are the same.
About gpg-agent:
I have this in my .zshrc:
# start gpg-agent if it's not running
if [ -z "`pidof gpg-agent`" ]; then
eval "$(gpg-agent --daemon --write-env-file --enable-ssh-support)"
fi;
# source gpg info
if [ -f "${HOME}/.gpg-agent-info" ]; then
sed -i '/^[SG]/s/^/export /' "${HOME}/.gpg-agent-info"
. "${HOME}/.gpg-agent-info"
fi;
gpg-agent by default writes the environment variables that need to be set to ~/.gpg-agent-info. The sed line just puts 'export ' in the beginning of each line, if it's not there already.
You can configure gpg-agent some more by editing ~/.gnupg/gpg-agent.conf. For instance, I have there:
pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 3600
write-env-file
disable-scdaemon
allow-mark-trusted
See 'man gpg-agent' for the whole list. Before you can first use a ssh key, you need to 'ssh-add' it to gpg-agent.
SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory.
Once a key has been added to the gpg-agent this way, the gpg-agent will be ready to use the key.
I like this approach since it also takes care of my gpg keys.
Offline
Offline
Right now I am using ksshaskpass and its working nicely.
@bender02 does gpg-agent ask for passphrase dialog only when the first time ssh command is invoked.
Thanks
Jithin
Offline
@bender02 does gpg-agent ask for passphrase dialog only when the first time ssh command is invoked.
Yes, although there's a timeout (in seconds) after which it forgets it. The setting is called 'default-cache-ttl-ssh'.
Offline
Ok. Thanks for you help
Thanks
Jithin
Offline