Configure and use keychain
Site Navigation:
 
 

Configure and use keychain

Author:  Sven Knispel
Updated:  [udate]

Keychain is a wrapper around ssh-agent for passphrase caching. One of the biggest misunderstandings about using ssh for batch (cron) scripts is that one must use keys without passphrase to avoid the interactive process of entering the passphrase. This can lead to:

  • compromised communication channels in case of a stolen private key
  • unallowed access to computers

Using keys without passphrase is like user-ids without password.

ssh-agent was developped for the purpose of batch processes and to avoid entering a passphrase for each and every access to a computer: the agent caches key access data in memory as long as it is loaded.
As nothing is stored on disk and as the access to the agent is protected it is an elegant way to manage someting like a single signon that is active between reboots. As the passphrase is to be entered only once it also favorizes strong passphrases.
As passphrases will not be asked again as long as your computer is not booted it is important to avoid unauthorized access to it. An unlocked computer would allow anyone to use the cached passphrase.

1. Download and install keychain

Keychain binaries for different flavours of Fedora Core can be downloaded here.
The installation is done with rpm -Uvh keychain-2.5.1-1.2.fc4.rf.noarch.rpm.

2. Creating keys

As keychain manages ssh keys these have to be created. If you don't know how to do that have a look here.
run keychain to see if the installation went fine: a directory ~/.keychain should have been created.

3. Loading key chain at first logon

As the agent is active between reboots it must be activated at logon. Therefore we modify ~/.bash_profile and add: #on this next line, we start keychain and point it to the private keys that
#we'd like it to cache
/usr/bin/keychain ~/.ssh/id_dsa

# let the shell know ssh-agent
source ~/.keychain/<computer-name>-sh > /dev/null

#sourcing ~/.bashrc is a good thing
source ~/.bashrc
 What this does:

  • /usr/bin/keychain ~/.ssh/id_dsa loads the key id_dsa; the first time this happens you will be asked for the passphrase. Multiple key-files can be added, seprated by spaces
  • source ~/.keychain/<computer-name>-sh > /dev/null loads the env-ironment variables present to the current shell

Finally we will add the line source ~/.keychain/ws-sven-sh to ~/.bashrc to have these env-vars present in every shell.

Now if you log off and on again you should see this, and keychain should ask you for the passphrase: KeyChain 2.5.3.1; http://www.gentoo.org/proj/en/keychain/
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL

* Found existing ssh-agent (4110)
* Known ssh key: /home/sven/.ssh/id_dsa

4. Using keychain

For using keychain interactively there is nothing else to do. But we are interested in using keychain for running batches.
To allow cron jobs to have access to the agent there are two ways:

  • if you are using scripts just add source ~/.keychain/<computer-name>-sh > /dev/null to the script before executing ssh
  • if you call ssh directly from your crontab just add source ~/.keychain/<computer-name>-sh > /dev/null && before ssh

5. References

More details about keychain as well as a serie of articles about keychain and ssh-agent can be found here