You are not logged in.

#1 2011-03-23 19:44:19

nybegynner
Member
From: Norway
Registered: 2010-02-07
Posts: 36

SSH keychain passphrase after login

Hello everyone.

I'm currently setting up ssh keys with OpenSSH. To manage my key(s) I'm using 'keychain', instead of running ssh-agent and ssh-add my keys respectively.
This line is in .bashrc:

eval `keychain --eval -q --agents ssh id_dsa`

Keychain starts ssh-agent and uses ssh-add to add my key "id_dsa".

The problem is that i have to enter the passphrase every first bash
instance that is run after login - is this necessary? I have already
stored the passphrase in .ssh/id_dsa.

Not the biggest issue, but annoing

Last edited by nybegynner (2011-03-23 20:36:42)

Offline

#2 2011-03-24 19:19:08

jac
Member
From: /home/jac
Registered: 2009-05-19
Posts: 431
Website

Re: SSH keychain passphrase after login

The problem here is that ssh-agent starts a new instance each time it is run, thereby requiring that you re-add your key to each copy of the process, which means you have to enter your password again each time. The way I've set this up is to have my .zshrc source a file, which runs ssh-agent if need be or just sources another file with the stored environment variables if not. I then have to "ssh-add" my key once, and I'm done until I restart.

Here's my script:

#!/bin/zsh

EVF="/home/jac/bin/export_vars"

if [ "$(pgrep -u jac ssh-agent)" ]; then
    source "$EVF"
    return
fi

ssh-agent > "$EVF"
sed -i 's/^echo.*/echo -n "[s]"/' "$EVF"
chmod +x

source "$EVF"

I think if you just replace the my username with your username/path and zsh with bash, you'll be able to use something similar to this. I don't know if the environment variables file needs to be executable. Also, the sed line makes the sourcing process print "[ S]" (minus the space, forum markup issue) without a newline instead of the ssh-agent process id number.

Edit: I originally thought "keychain" was a program you made, but perhaps it is not. If not, the behaviour behind the problem I describe may be incorrect.
Edit 2: It is a program in the repos, haha, my mistake. My script has the exact same functionality described in keychain's pacman description, so it is an alternative if you can't get keychain to work properly.
Edit 3: Reading the keychain manpage says to put the line you put in your bashrc into bash_profile, so you should start there, as it only is sourced when you login, not when you open a new terminal. That would actually have fixed my problem without the need of script too XD

Last edited by jac (2011-03-24 19:27:05)

Offline

#3 2011-03-24 19:37:33

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: SSH keychain passphrase after login

Hmm, odd, because I use keychain with the same line and it only asks me my passphrase(s) once...when I first login (I login from the tty, not a login manager. Don't know if this makes a difference)

eval `keychain -q --eval --agents ssh id_rsa logo_rsa web_rsa`

Doesn't help you much, other than there must be another issue, because it's supposed to maintain the ssh-agent process and keep those keys in memory until you clear them. Manpage describes this in more detail.

Scott

Last edited by firecat53 (2011-03-24 19:38:05)

Offline

#4 2011-03-28 16:38:44

nybegynner
Member
From: Norway
Registered: 2010-02-07
Posts: 36

Re: SSH keychain passphrase after login

Thanks!

Turns out my problem wasn't a problem after all. When I chose to generate my key with a passphrase + using keychain, the keychain asked of my passphrase after login and remembered it for the rest of the session.
However, I wanted to be able to use the ssh key without typing anything, so my solution was to create a key without a passphrase and then my problem was solved. This is generally not advised, but I'm doing it anyway yikes

Can you think of any reason this is not adviced, except the fact that gaining access to my computer can also give access to other computers using this ssh key?

Offline

#5 2011-03-28 18:11:24

jac
Member
From: /home/jac
Registered: 2009-05-19
Posts: 431
Website

Re: SSH keychain passphrase after login

I'm not too knowledgeable about security compared to most people, so I'll stay out of that. But, I think you still have a problem. My ssh key has a pass-phrase, but after adding it using "ssh-add" I do not need to type in my pass-phrase again. I think that is how keychain is supposed to work as well.

Offline

#6 2011-03-28 19:31:14

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: SSH keychain passphrase after login

Because if someone gets your key(s), now they have instant access...the passphrase is an extra layer of security. Thus, the invention of ssh-agent/keychain so you only need to type a passphrase once, and then the key can be sourced and used again (on that machine) by you or your scripts until you reboot or kill the ssh-agent process someone.

Scott

Offline

#7 2011-03-28 20:12:42

alterecco
Member
Registered: 2009-07-13
Posts: 152

Re: SSH keychain passphrase after login

I have this in my .bash_profile

if [[ -z "$DISPLAY" ]] && [[ $(tty) = /dev/tty1 ]]; then
  keychain ${HOME}/.ssh/id_rsa
fi

And then this in my .bashrc

if [ -f ${HOME}/.keychain/${HOSTNAME}-sh ]; then
    source ${HOME}/.keychain/${HOSTNAME}-sh > /dev/null
fi

When i log in on tty1, i get asked for my keys password. After that, i never get asked again (until next log on).

So, added security of having a password for you key, but no hassle.

Offline

Board footer

Powered by FluxBB