The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Funtoo:Keychain"
(27 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
{{ | {{Project | ||
| | |summary=Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session. | ||
|Project Category=Security | |||
|leads=Drobbins | |||
}} | }} | ||
<tt>Keychain</tt> helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to <tt>ssh-agent</tt> and <tt>ssh-add</tt>, but allows you to easily have one long running <tt>ssh-agent</tt> process per system, rather than the norm of one <tt>ssh-agent</tt> per login session. | |||
This dramatically reduces the number of times you need to enter your passphrase. With <tt>keychain</tt>, you only need to enter a passphrase once every time your local machine is rebooted. <tt>Keychain</tt> also makes it easy for remote cron jobs to securely "hook in" to a long-running <tt>ssh-agent</tt> process, allowing your scripts to take advantage of key-based logins. | |||
Those who are new to OpenSSH and the use of public/private keys for authentication may want to check out the following articles by Daniel Robbins, which will provide a gentle introduction to the concepts used by Keychain: | |||
* [[OpenSSH Key Management, Part 1]] | |||
* [[OpenSSH Key Management, Part 2]] | |||
* [[OpenSSH Key Management, Part 3]] | |||
== Download and Resources == | == Download and Resources == | ||
The latest release of keychain is version <tt>2. | The latest release of keychain is version <tt>2.8.5</tt>, and was released on January 24, 2018. The current version of keychain supports <tt>gpg-agent</tt> as well as <tt>ssh-agent</tt> (including GPG2.) | ||
Keychain is compatible with many operating systems, including <tt>AIX</tt>, <tt>*BSD</tt>, <tt>Cygwin</tt>, <tt>MacOS X</tt>, <tt>Linux</tt>, <tt>HP/UX</tt>, <tt>Tru64 UNIX</tt>, <tt>IRIX</tt>, <tt>Solaris</tt> and <tt>GNU Hurd</tt>. | Keychain is compatible with many operating systems, including <tt>AIX</tt>, <tt>*BSD</tt>, <tt>Cygwin</tt>, <tt>MacOS X</tt>, <tt>Linux</tt>, <tt>WSL</tt>, <tt>HP/UX</tt>, <tt>Tru64 UNIX</tt>, <tt>IRIX</tt>, <tt>Solaris</tt> and <tt>GNU Hurd</tt>. | ||
=== Download === | === Download === | ||
The latest release of Keychain can be found on the [https://github.com/funtoo/keychain/releases keychain GitHub release page]. | |||
Keychain development sources can be found | Keychain development sources can be found [https://github.com/funtoo/keychain on GitHub.] Please feel free to use the GitHub issue tracker to report bugs. Alternatively, the [https://bugs.funtoo.org Funtoo Linux bug tracker] can be used. For support, you can visit us in the [irc://irc.freenode.net/funtoo #funtoo irc channel] or the [https://forums.funtoo.org Funtoo forums] for keychain support questions. | ||
=== Project History === | === Project History === | ||
Line 37: | Line 33: | ||
On April 21, 2004, Aron Griffis committed a major rewrite of <tt>keychain</tt> which was released as 2.2.0. Aron continued to actively maintain and improve <tt>keychain</tt> through October 2006 and the <tt>keychain</tt> 2.6.8 release. He also made a few commits after that date, up through mid-July, 2007. At this point, <tt>keychain</tt> had reached a point of maturity. | On April 21, 2004, Aron Griffis committed a major rewrite of <tt>keychain</tt> which was released as 2.2.0. Aron continued to actively maintain and improve <tt>keychain</tt> through October 2006 and the <tt>keychain</tt> 2.6.8 release. He also made a few commits after that date, up through mid-July, 2007. At this point, <tt>keychain</tt> had reached a point of maturity. | ||
In mid-July, 2009, Daniel Robbins migrated Aron's mercurial repository to git and set up a new project page on funtoo.org, and made a few bug fix commits to the git repo that had been collecting in [http://bugs.gentoo.org bugs.gentoo.org]. Daniel | In mid-July, 2009, Daniel Robbins migrated Aron's mercurial repository to git and set up a new project page on funtoo.org, and made a few bug fix commits to the git repo that had been collecting in [http://bugs.gentoo.org bugs.gentoo.org]. Daniel maintained keychain through September of 2017. | ||
== Quick Setup == | == Quick Setup == | ||
Line 48: | Line 44: | ||
</console> | </console> | ||
For other Linux distributions, use your distribution's package manager, or download and install using the source tarball above. Then generate RSA | For other Linux distributions, use your distribution's package manager, or download and install using the source tarball above. Then generate RSA keys if necessary. The quick install docs assume you have a RSA key pair named <tt>id_rsa</tt> and <tt>id_rsa.pub</tt> in your <tt>~/.ssh/</tt> directory. Add the following to your <tt>~/.bash_profile</tt>: | ||
{{file|name=~/.bash_profile|body= | {{file|name=~/.bash_profile|body= | ||
Line 58: | Line 54: | ||
=== Apple MacOS X === | === Apple MacOS X === | ||
Assuming you have an <tt>id_rsa</tt> and <tt>id_rsa.pub</tt> key pair in your <tt>~/.ssh/</tt> directory, add the following to your <tt>~/.bash_profile</tt>: | |||
{{file|name=~/.bash_profile|body= | {{file|name=~/.bash_profile|body= | ||
eval `keychain --eval --agents ssh --inherit any | eval `keychain --eval --agents ssh --inherit any id_rsa` | ||
}} | }} | ||
{{Fancynote|The <tt>--inherit any</tt> option above causes keychain to inherit any ssh key passphrases stored in your Apple MacOS Keychain. If you would prefer for this to not happen, then this option can be omitted.}} | {{Fancynote|The <tt>--inherit any</tt> option above causes keychain to inherit any ssh key passphrases stored in your Apple MacOS Keychain. If you would prefer for this to not happen, then this option can be omitted.}} | ||
=== Fish Shell === | |||
Currently, keychain is not compatible with Fish shell. | |||
== Background == | == Background == | ||
Line 72: | Line 71: | ||
Typically, when one uses <tt>ssh</tt> to connect to a remote system, one supplies a secret passphrase to <tt>ssh</tt>, which is then passed in encrypted form over the network to the remote server. This passphrase is used by the remote <tt>sshd</tt> server to determine if you should be granted access to the system. | Typically, when one uses <tt>ssh</tt> to connect to a remote system, one supplies a secret passphrase to <tt>ssh</tt>, which is then passed in encrypted form over the network to the remote server. This passphrase is used by the remote <tt>sshd</tt> server to determine if you should be granted access to the system. | ||
However, OpenSSH and nearly all other SSH clients and servers have the ability to perform another type of authentication, called asymmetric public key authentication, using the RSA or | However, OpenSSH and nearly all other SSH clients and servers have the ability to perform another type of authentication, called asymmetric public key authentication, using the RSA or other authentication algorithms. They are very useful, but can also be complicated to use. <tt>keychain</tt> has been designed to make it easy to take advantage of the benefits of public key authentication. | ||
== Generating a Key Pair == | == Generating a Key Pair == | ||
To use | To use public key authentication, first you use a program called <tt>ssh-keygen</tt> (included with OpenSSH) to generate a ''key pair'' -- two small files. One of the files is the ''public key''. The other small file contains the ''private key''. <tt>ssh-keygen</tt> will ask you for a passphrase, and this passphrase will be used to encrypt your private key. You will need to supply this passphrase to use your private key. If you wanted to generate a RSA key pair, you would do this: | ||
<console># ##i##ssh-keygen -t | <console># ##i##ssh-keygen -t rsa | ||
Generating public/private | Generating public/private rsa key pair.</console> | ||
You would then be prompted for a location to store your key pair. If you do not have one currently stored in <tt>~/.ssh</tt>, it is fine to accept the default location: | You would then be prompted for a location to store your key pair. If you do not have one currently stored in <tt>~/.ssh</tt>, it is fine to accept the default location: | ||
<console>Enter file in which to save the key (/root/.ssh/ | <console>Enter file in which to save the key (/root/.ssh/id_rsa): </console> | ||
Then, you are prompted for a passphrase. This passphrase is used to encrypt the ''private key'' on disk, so even if it is stolen, it will be difficult for someone else to use it to successfully authenticate as you with any accounts that have been configured to recognize your public key. | Then, you are prompted for a passphrase. This passphrase is used to encrypt the ''private key'' on disk, so even if it is stolen, it will be difficult for someone else to use it to successfully authenticate as you with any accounts that have been configured to recognize your public key. | ||
Line 91: | Line 90: | ||
<console>Enter passphrase (empty for no passphrase): ##i######### | <console>Enter passphrase (empty for no passphrase): ##i######### | ||
Enter same passphrase again: ##i######### | Enter same passphrase again: ##i######### | ||
Your identification has been saved in /var/tmp/ | Your identification has been saved in /var/tmp/id_rsa. | ||
Your public key has been saved in /var/tmp/ | Your public key has been saved in /var/tmp/id_rsa.pub. | ||
The key fingerprint is: | The key fingerprint is: | ||
5c:13:ff:46:7d:b3:bf:0e:37:1e:5e:8c:7b:a3:88:f4 root@devbox-ve | 5c:13:ff:46:7d:b3:bf:0e:37:1e:5e:8c:7b:a3:88:f4 root@devbox-ve | ||
</console> | |||
== Setting up Authentication == | == Setting up Authentication == | ||
Here's how you use these files to authenticate with a remote server. On the remote server, you would append the contents of your ''public key'' to the <tt>~.ssh/authorized_keys</tt> file, if such a file exists. If it doesn't exist, you can simply create a new <tt>authorized_keys</tt> file in the remote account's <tt>~/.ssh</tt> directory that contains the contents of your local <tt> | Here's how you use these files to authenticate with a remote server. On the remote server, you would append the contents of your ''public key'' to the <tt>~.ssh/authorized_keys</tt> file, if such a file exists. If it doesn't exist, you can simply create a new <tt>authorized_keys</tt> file in the remote account's <tt>~/.ssh</tt> directory that contains the contents of your local <tt>id_rsa.pub</tt> file. | ||
Then, if you weren't going to use <tt>keychain</tt>, you'd perform the following steps. On your local client, you would start a program called <tt>ssh-agent</tt>, which runs in the background. Then you would use a program called <tt>ssh-add</tt> to tell <tt>ssh-agent</tt> about your secret private key. Then, if you've set up your environment properly, the next time you run <tt>ssh</tt>, it will find <tt>ssh-agent</tt> running, grab the private key that you added to <tt>ssh-agent</tt> using <tt>ssh-add</tt>, and use this key to authenticate with the remote server. | Then, if you weren't going to use <tt>keychain</tt>, you'd perform the following steps. On your local client, you would start a program called <tt>ssh-agent</tt>, which runs in the background. Then you would use a program called <tt>ssh-add</tt> to tell <tt>ssh-agent</tt> about your secret private key. Then, if you've set up your environment properly, the next time you run <tt>ssh</tt>, it will find <tt>ssh-agent</tt> running, grab the private key that you added to <tt>ssh-agent</tt> using <tt>ssh-add</tt>, and use this key to authenticate with the remote server. | ||
Line 117: | Line 105: | ||
{{file|name=~/.bash_profile|body= | {{file|name=~/.bash_profile|body= | ||
eval `keychain --eval | eval `keychain --eval id_rsa` | ||
}} | }} | ||
The next time you log in or source your <tt>~/.bash_profile</tt> or if you use <tt>~/.bashrc</tt>, <tt>keychain</tt> will start, start <tt>ssh-agent</tt> for you if it has not yet been started, use <tt>ssh-add</tt> to add your <tt> | The next time you log in or source your <tt>~/.bash_profile</tt> or if you use <tt>~/.bashrc</tt>, <tt>keychain</tt> will start, start <tt>ssh-agent</tt> for you if it has not yet been started, use <tt>ssh-add</tt> to add your <tt>id_rsa</tt> private key file to <tt>ssh-agent</tt>, and set up your shell environment so that <tt>ssh</tt> will be able to find <tt>ssh-agent</tt>. If <tt>ssh-agent</tt> is already running, <tt>keychain</tt> will ensure that your <tt>id_rsa</tt> private key has been added to <tt>ssh-agent</tt> and then set up your environment so that <tt>ssh</tt> can find the already-running <tt>ssh-agent</tt>. It will look something like this: | ||
https://github.com/funtoo/keychain/raw/master/img/keychain-1.png | |||
Note that when <tt>keychain</tt> runs for the first time after your local system has booted, you will be prompted for a passphrase for your private key file if it is encrypted. But here's the nice thing about using <tt>keychain</tt> -- even if you are using an encrypted private key file, you will only need to enter your passphrase when your system first boots (or in the case of a server, when you first log in.) After that, <tt>ssh-agent</tt> is already running and has your decrypted private key cached in memory. So if you open a new shell, you will see something like this: | Note that when <tt>keychain</tt> runs for the first time after your local system has booted, you will be prompted for a passphrase for your private key file if it is encrypted. But here's the nice thing about using <tt>keychain</tt> -- even if you are using an encrypted private key file, you will only need to enter your passphrase when your system first boots (or in the case of a server, when you first log in.) After that, <tt>ssh-agent</tt> is already running and has your decrypted private key cached in memory. So if you open a new shell, you will see something like this: | ||
https://github.com/funtoo/keychain/raw/master/img/keychain-2.png | |||
This means that you can now <tt>ssh</tt> to your heart's content, without supplying a passphrase. | This means that you can now <tt>ssh</tt> to your heart's content, without supplying a passphrase. | ||
You can also execute batch <tt>cron</tt> jobs and scripts that need to use <tt>ssh</tt> or <tt>scp</tt>, and they can take advantage of passwordless | You can also execute batch <tt>cron</tt> jobs and scripts that need to use <tt>ssh</tt> or <tt>scp</tt>, and they can take advantage of passwordless public key authentication as well. To do this, you would add the following line to the top of a bash script: | ||
{{file|name=example-script.sh|body= | {{file|name=example-script.sh|body= | ||
eval `keychain --noask --eval | eval `keychain --noask --eval id_rsa` || exit 1 | ||
}} | }} | ||
Line 141: | Line 133: | ||
{{file|name=~/.bash_profile|body= | {{file|name=~/.bash_profile|body= | ||
eval `keychain --agents ssh --eval | eval `keychain --agents ssh --eval id_rsa` || exit 1 | ||
}} | }} | ||
Line 179: | Line 171: | ||
<console> | <console> | ||
$##i## keychain --dir ~/.ssh/.keychain ~/.ssh/ | $##i## keychain --dir ~/.ssh/.keychain ~/.ssh/id_dsa DEADBEEF | ||
$##i## source ~/.ssh/.keychain/$HOST-sh | $##i## source ~/.ssh/.keychain/$HOST-sh | ||
$##i## source ~/.ssh/.keychain/$HOST-sh-gpg | $##i## source ~/.ssh/.keychain/$HOST-sh-gpg | ||
</console> | </console> | ||
==== GPG Key Format ==== | |||
Running on for example <tt>Ubuntu 18.04 LTS</tt> (the most common <tt>WSL</tt> distribution) with keychain version 2.8.2 and GPG version 2.2.4 produces a problem where GPG can not find keys with error message | |||
<console> | |||
$ keychain --eval --agents gpg DEADBEEF | |||
* keychain 2.8.2 ~ http://www.funtoo.org | |||
* Found existing gpg-agent: 42 | |||
GPG_AGENT_INFO=/home/user/.gnupg/S.gpg-agent:42:1; export GPG_AGENT_INFO; | |||
* Warning: can't find DEADBEEF; skipping | |||
</console> | |||
This can be fixed by configuring GPG to use the long key ID format | |||
{{file|name=~/.gnupg/gpg.conf|body= | |||
keyid-format LONG}} | |||
==== GPG Cache Time ==== | |||
By default the GPG agent sets the default cache time to 600 seconds and the maximum cache time to 7200 seconds. You may wish to consider changing these options if you tend to use a long running session and wish to keep your gpg key cached. To do so set the options in ~/.gnupg/gpg-agent.conf. | |||
===== GnuPG version up to 2 ===== | |||
{{file|name=~/.gnupg/gpg-agent.conf|body= | |||
default-cache-ttl 84000 | |||
maximum-cache-ttl 84000}} | |||
===== GnuPG version 2.1 and above ===== | |||
{{file|name=~/.gnupg/gpg-agent.conf|body= | |||
default-cache-ttl 84000 | |||
max-cache-ttl 84000}} | |||
=== Learning More === | === Learning More === | ||
Line 196: | Line 221: | ||
* [http://www.ibm.com/developerworks/library/l-keyc3/ Common Threads: OpenSSH key management, Part 3] - Agent forwarding and <tt>keychain</tt> improvements | * [http://www.ibm.com/developerworks/library/l-keyc3/ Common Threads: OpenSSH key management, Part 3] - Agent forwarding and <tt>keychain</tt> improvements | ||
As mentioned at the top of the page, <tt>keychain</tt> development sources can be found in the [http://www.github.com/funtoo/keychain keychain git repository]. Please use the [http:// | As mentioned at the top of the page, <tt>keychain</tt> development sources can be found in the [http://www.github.com/funtoo/keychain keychain git repository]. Please use the [http://forums.funtoo.org Funtoo Forums] and [irc://irc.freenode.net/funtoo #funtoo irc channel] for keychain support questions as well as bug reports. | ||
[[Category:HOWTO]] | [[Category:HOWTO]] | ||
{{ArticleFooter}} | {{ArticleFooter}} | ||
{{ProjectFooter}} |
Latest revision as of 03:23, February 25, 2022
Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session.
This dramatically reduces the number of times you need to enter your passphrase. With keychain, you only need to enter a passphrase once every time your local machine is rebooted. Keychain also makes it easy for remote cron jobs to securely "hook in" to a long-running ssh-agent process, allowing your scripts to take advantage of key-based logins.
Those who are new to OpenSSH and the use of public/private keys for authentication may want to check out the following articles by Daniel Robbins, which will provide a gentle introduction to the concepts used by Keychain:
Download and Resources
The latest release of keychain is version 2.8.5, and was released on January 24, 2018. The current version of keychain supports gpg-agent as well as ssh-agent (including GPG2.)
Keychain is compatible with many operating systems, including AIX, *BSD, Cygwin, MacOS X, Linux, WSL, HP/UX, Tru64 UNIX, IRIX, Solaris and GNU Hurd.
Download
The latest release of Keychain can be found on the keychain GitHub release page.
Keychain development sources can be found on GitHub. Please feel free to use the GitHub issue tracker to report bugs. Alternatively, the Funtoo Linux bug tracker can be used. For support, you can visit us in the #funtoo irc channel or the Funtoo forums for keychain support questions.
Project History
Daniel Robbins originally wrote keychain 1.0 through 2.0.3. 1.0 was written around June 2001, and 2.0.3 was released in late August, 2002.
After 2.0.3, keychain was maintained by various Gentoo developers, including Seth Chandler, Mike Frysinger and Robin H. Johnson, through July 3, 2003.
On April 21, 2004, Aron Griffis committed a major rewrite of keychain which was released as 2.2.0. Aron continued to actively maintain and improve keychain through October 2006 and the keychain 2.6.8 release. He also made a few commits after that date, up through mid-July, 2007. At this point, keychain had reached a point of maturity.
In mid-July, 2009, Daniel Robbins migrated Aron's mercurial repository to git and set up a new project page on funtoo.org, and made a few bug fix commits to the git repo that had been collecting in bugs.gentoo.org. Daniel maintained keychain through September of 2017.
Quick Setup
Linux
To install under Gentoo or Funtoo Linux, type
root # emerge keychain
For other Linux distributions, use your distribution's package manager, or download and install using the source tarball above. Then generate RSA keys if necessary. The quick install docs assume you have a RSA key pair named id_rsa and id_rsa.pub in your ~/.ssh/ directory. Add the following to your ~/.bash_profile:
~/.bash_profile
eval `keychain --eval --agents ssh id_rsa`
If you want to take advantage of GPG functionality, ensure that GNU Privacy Guard is installed and omit the --agents ssh option above.
Apple MacOS X
Assuming you have an id_rsa and id_rsa.pub key pair in your ~/.ssh/ directory, add the following to your ~/.bash_profile:
~/.bash_profile
eval `keychain --eval --agents ssh --inherit any id_rsa`
The --inherit any option above causes keychain to inherit any ssh key passphrases stored in your Apple MacOS Keychain. If you would prefer for this to not happen, then this option can be omitted.
Fish Shell
Currently, keychain is not compatible with Fish shell.
Background
You're probably familiar with ssh, which has become a secure replacement for the venerable telnet and rsh commands.
Typically, when one uses ssh to connect to a remote system, one supplies a secret passphrase to ssh, which is then passed in encrypted form over the network to the remote server. This passphrase is used by the remote sshd server to determine if you should be granted access to the system.
However, OpenSSH and nearly all other SSH clients and servers have the ability to perform another type of authentication, called asymmetric public key authentication, using the RSA or other authentication algorithms. They are very useful, but can also be complicated to use. keychain has been designed to make it easy to take advantage of the benefits of public key authentication.
Generating a Key Pair
To use public key authentication, first you use a program called ssh-keygen (included with OpenSSH) to generate a key pair -- two small files. One of the files is the public key. The other small file contains the private key. ssh-keygen will ask you for a passphrase, and this passphrase will be used to encrypt your private key. You will need to supply this passphrase to use your private key. If you wanted to generate a RSA key pair, you would do this:
root # ssh-keygen -t rsa Generating public/private rsa key pair.
You would then be prompted for a location to store your key pair. If you do not have one currently stored in ~/.ssh, it is fine to accept the default location:
Enter file in which to save the key (/root/.ssh/id_rsa):
Then, you are prompted for a passphrase. This passphrase is used to encrypt the private key on disk, so even if it is stolen, it will be difficult for someone else to use it to successfully authenticate as you with any accounts that have been configured to recognize your public key.
Note that conversely, if you do not provide a passphrase for your private key file, then your private key file will not be encrypted. This means that if someone steals your private key file, they will have the full ability to authenticate with any remote accounts that are set up with your public key.
Below, I have supplied a passphrase so that my private key file will be encrypted on disk:
Enter passphrase (empty for no passphrase): ####### Enter same passphrase again: ####### Your identification has been saved in /var/tmp/id_rsa. Your public key has been saved in /var/tmp/id_rsa.pub. The key fingerprint is: 5c:13:ff:46:7d:b3:bf:0e:37:1e:5e:8c:7b:a3:88:f4 root@devbox-ve
Setting up Authentication
Here's how you use these files to authenticate with a remote server. On the remote server, you would append the contents of your public key to the ~.ssh/authorized_keys file, if such a file exists. If it doesn't exist, you can simply create a new authorized_keys file in the remote account's ~/.ssh directory that contains the contents of your local id_rsa.pub file.
Then, if you weren't going to use keychain, you'd perform the following steps. On your local client, you would start a program called ssh-agent, which runs in the background. Then you would use a program called ssh-add to tell ssh-agent about your secret private key. Then, if you've set up your environment properly, the next time you run ssh, it will find ssh-agent running, grab the private key that you added to ssh-agent using ssh-add, and use this key to authenticate with the remote server.
Again, the steps in the previous paragraph is what you'd do if keychain wasn't around to help. If you are using keychain, and I hope you are, you would simply add the following line to your ~/.bash_profile or if a regular user to~/.bashrc :
~/.bash_profile
eval `keychain --eval id_rsa`
The next time you log in or source your ~/.bash_profile or if you use ~/.bashrc, keychain will start, start ssh-agent for you if it has not yet been started, use ssh-add to add your id_rsa private key file to ssh-agent, and set up your shell environment so that ssh will be able to find ssh-agent. If ssh-agent is already running, keychain will ensure that your id_rsa private key has been added to ssh-agent and then set up your environment so that ssh can find the already-running ssh-agent. It will look something like this:
https://github.com/funtoo/keychain/raw/master/img/keychain-1.png
Note that when keychain runs for the first time after your local system has booted, you will be prompted for a passphrase for your private key file if it is encrypted. But here's the nice thing about using keychain -- even if you are using an encrypted private key file, you will only need to enter your passphrase when your system first boots (or in the case of a server, when you first log in.) After that, ssh-agent is already running and has your decrypted private key cached in memory. So if you open a new shell, you will see something like this:
https://github.com/funtoo/keychain/raw/master/img/keychain-2.png
This means that you can now ssh to your heart's content, without supplying a passphrase.
You can also execute batch cron jobs and scripts that need to use ssh or scp, and they can take advantage of passwordless public key authentication as well. To do this, you would add the following line to the top of a bash script:
example-script.sh
eval `keychain --noask --eval id_rsa`
The extra --noask option tells keychain that it should not prompt for a passphrase if one is needed. Since it is not running interactively, it is better for the script to fail if the decrypted private key isn't cached in memory via ssh-agent.
Keychain Options
Specifying Agents
In the images above, you will note that keychain starts ssh-agent, but also starts gpg-agent. Modern versions of keychain also support caching decrypted GPG keys via use of gpg-agent, and will start gpg-agent by default if it is available on your system. To avoid this behavior and only start ssh-agent, modify your ~/.bash_profile as follows:
~/.bash_profile
eval `keychain --agents ssh --eval id_rsa`
The additional --agents ssh option tells keychain just to manage ssh-agent, and ignore gpg-agent even if it is available.
Clearing Keys
Sometimes, it might be necessary to flush all cached keys in memory. To do this, type:
root # keychain --clear
Any agent(s) will continue to run.
Improving Security
To improve the security of keychain, some people add the --clear option to their ~/.bash_profile keychain invocation. The rationale behind this is that any user logging in should be assumed to be an intruder until proven otherwise. This means that you will need to re-enter any passphrases when you log in, but cron jobs will still be able to run when you log out.
Stopping Agents
If you want to stop all agents, which will also of course cause your keys/identities to be flushed from memory, you can do this as follows:
root # keychain -k all
If you have other agents running under your user account, you can also tell keychain to just stop only the agents that keychain started:
root # keychain -k mine
GPG
Keychain can ask you for your GPG passphrase if you provide it the GPG key ID. To find it out:
user $ gpg -k pub 2048R/DEADBEEF 2012-08-16 uid Name (Comment) <email@host.tld> sub 2048R/86D2FAC6 2012-08-16
Note the DEADBEEF above is the ID. Then, in your login script, do your usual
user $ keychain --dir ~/.ssh/.keychain ~/.ssh/id_dsa DEADBEEF user $ source ~/.ssh/.keychain/$HOST-sh user $ source ~/.ssh/.keychain/$HOST-sh-gpg
GPG Key Format
Running on for example Ubuntu 18.04 LTS (the most common WSL distribution) with keychain version 2.8.2 and GPG version 2.2.4 produces a problem where GPG can not find keys with error message
user $ keychain --eval --agents gpg DEADBEEF * keychain 2.8.2 ~ http://www.funtoo.org * Found existing gpg-agent: 42 GPG_AGENT_INFO=/home/user/.gnupg/S.gpg-agent:42:1; export GPG_AGENT_INFO; * Warning: can't find DEADBEEF; skipping
This can be fixed by configuring GPG to use the long key ID format
~/.gnupg/gpg.conf
keyid-format LONG
GPG Cache Time
By default the GPG agent sets the default cache time to 600 seconds and the maximum cache time to 7200 seconds. You may wish to consider changing these options if you tend to use a long running session and wish to keep your gpg key cached. To do so set the options in ~/.gnupg/gpg-agent.conf.
GnuPG version up to 2
~/.gnupg/gpg-agent.conf
default-cache-ttl 84000
maximum-cache-ttl 84000
GnuPG version 2.1 and above
~/.gnupg/gpg-agent.conf
default-cache-ttl 84000
max-cache-ttl 84000
Learning More
The instructions above will work on any system that uses bash as its default shell, such as most Linux systems and Mac OS X.
To learn more about the many things that keychain can do, including alternate shell support, consult the keychain man page, or type keychain --help | less for a full list of command options.
I also recommend you read my original series of articles about OpenSSH that I wrote for IBM developerWorks, called OpenSSH Key Management. Please note that keychain 1.0 was released along with Part 2 of this article, which was written in 2001. keychain has changed quite a bit since then. In other words, read these articles for the conceptual and OpenSSH information, but consult the keychain man page for command-line options and usage instructions :)
- Common Threads: OpenSSH key management, Part 1 - Understanding RSA/DSA Authentication
- Common Threads: OpenSSH key management, Part 2 - Introducing ssh-agent and keychain
- Common Threads: OpenSSH key management, Part 3 - Agent forwarding and keychain improvements
As mentioned at the top of the page, keychain development sources can be found in the keychain git repository. Please use the Funtoo Forums and #funtoo irc channel for keychain support questions as well as bug reports.
Browse all our available articles below. Use the search field to search for topics and keywords in real-time.