Make your own free website on Tripod.com
Configuring SSH, ssh-agent, and keychain for passwordless logon
Don't run keychain on a untrusted machine.


For some background on ssh read here.

ssh-agent is used to cache your decrypted private keys so you don't have to type in your passphrase everytime you ssh, just when when first login.  There are some limitations that keep us from using it by itself, like for cron when your not logged in.
To learn more about ssh-agent and its limitations read Daniel Robbins article at IBM.

keychain is a ssh-agent front-end.  It keeps a copy of ssh-agent running all the time, even when you logout.  Useful for cron.  I am not going to explain how ssh-agent and keychain work.  The article linked above has an excellent explaination.


This installation comes with SSH enabled.  ssh-agent comes with SSH.

I am currently using DSA authentication.  Create a DSA key pair and copy the public key to the server you need to access.

as $USER
    $ ssh-keygen -t dsa
        enter passphrase
        again
    $ scp ~/.ssh/identity.pub remotehost:~/.ssh/authorized_keys2
        accually append it to the end if ~/.ssh/authorized_keys2 already exsits

Install keychain

as root
    # cd /usr/ports/security/keychain
    # make install

as $USER
    $ vi ~/.bash_profile
        /usr/local/bin/keychain /home/$USER/.ssh/id_dsa
        source /home/$USER/.keychain/[hostname]-sh >/dev/null

~/.bash_profile is run every time you login.
The first line loads keychain and points to the private key to cache.  You will be prompt for the passphase if this is the first time you login or if for some reason the PID was stopped (the server lost power).

The second line sets the environment variables needed by ssh-agent to prefrom its function.

logout, login, enter passphrase
or
source ~/.bash_profile, enter passphrase



Next Setting up cron to do a remote backup
Index