You are not logged in.
Pages: 1
Hello everyone.
I'm currently setting up ssh keys with OpenSSH. To manage my key(s) I'm using 'keychain', instead of running ssh-agent and ssh-add my keys respectively.
This line is in .bashrc:
eval `keychain --eval -q --agents ssh id_dsa`
Keychain starts ssh-agent and uses ssh-add to add my key "id_dsa".
The problem is that i have to enter the passphrase every first bash
instance that is run after login - is this necessary? I have already
stored the passphrase in .ssh/id_dsa.
Not the biggest issue, but annoing
Last edited by nybegynner (2011-03-23 20:36:42)
Offline
The problem here is that ssh-agent starts a new instance each time it is run, thereby requiring that you re-add your key to each copy of the process, which means you have to enter your password again each time. The way I've set this up is to have my .zshrc source a file, which runs ssh-agent if need be or just sources another file with the stored environment variables if not. I then have to "ssh-add" my key once, and I'm done until I restart.
Here's my script:
#!/bin/zsh
EVF="/home/jac/bin/export_vars"
if [ "$(pgrep -u jac ssh-agent)" ]; then
source "$EVF"
return
fi
ssh-agent > "$EVF"
sed -i 's/^echo.*/echo -n "[s]"/' "$EVF"
chmod +x
source "$EVF"
I think if you just replace the my username with your username/path and zsh with bash, you'll be able to use something similar to this. I don't know if the environment variables file needs to be executable. Also, the sed line makes the sourcing process print "[ S]" (minus the space, forum markup issue) without a newline instead of the ssh-agent process id number.
Edit: I originally thought "keychain" was a program you made, but perhaps it is not. If not, the behaviour behind the problem I describe may be incorrect.
Edit 2: It is a program in the repos, haha, my mistake. My script has the exact same functionality described in keychain's pacman description, so it is an alternative if you can't get keychain to work properly.
Edit 3: Reading the keychain manpage says to put the line you put in your bashrc into bash_profile, so you should start there, as it only is sourced when you login, not when you open a new terminal. That would actually have fixed my problem without the need of script too XD
Last edited by jac (2011-03-24 19:27:05)
Offline
Hmm, odd, because I use keychain with the same line and it only asks me my passphrase(s) once...when I first login (I login from the tty, not a login manager. Don't know if this makes a difference)
eval `keychain -q --eval --agents ssh id_rsa logo_rsa web_rsa`
Doesn't help you much, other than there must be another issue, because it's supposed to maintain the ssh-agent process and keep those keys in memory until you clear them. Manpage describes this in more detail.
Scott
Last edited by firecat53 (2011-03-24 19:38:05)
Offline
Thanks!
Turns out my problem wasn't a problem after all. When I chose to generate my key with a passphrase + using keychain, the keychain asked of my passphrase after login and remembered it for the rest of the session.
However, I wanted to be able to use the ssh key without typing anything, so my solution was to create a key without a passphrase and then my problem was solved. This is generally not advised, but I'm doing it anyway
Can you think of any reason this is not adviced, except the fact that gaining access to my computer can also give access to other computers using this ssh key?
Offline
I'm not too knowledgeable about security compared to most people, so I'll stay out of that. But, I think you still have a problem. My ssh key has a pass-phrase, but after adding it using "ssh-add" I do not need to type in my pass-phrase again. I think that is how keychain is supposed to work as well.
Offline
Because if someone gets your key(s), now they have instant access...the passphrase is an extra layer of security. Thus, the invention of ssh-agent/keychain so you only need to type a passphrase once, and then the key can be sourced and used again (on that machine) by you or your scripts until you reboot or kill the ssh-agent process someone.
Scott
Offline
I have this in my .bash_profile
if [[ -z "$DISPLAY" ]] && [[ $(tty) = /dev/tty1 ]]; then
keychain ${HOME}/.ssh/id_rsa
fi
And then this in my .bashrc
if [ -f ${HOME}/.keychain/${HOSTNAME}-sh ]; then
source ${HOME}/.keychain/${HOSTNAME}-sh > /dev/null
fi
When i log in on tty1, i get asked for my keys password. After that, i never get asked again (until next log on).
So, added security of having a password for you key, but no hassle.
Offline
Pages: 1