Gentoo Logo

Gentoo Linux Keychain Guide

Content:

1.  Background

The problem at hand

So you have all of these lovely Gentoo machines running sshd, but it's a little inconvenient for you to keep typing in all of those login passwords, right? Or maybe you have a script or cron-job that needs a convenient way to use an ssh connection. Either way, there is a solution to this problem, and it begins with public key authentication.

How does public key authentication work?

Assume we have a client that wants to connect to sshd on a server. The client first generates a key pair and gives the public key to the server. Afterwards, whenever the client attempts to connect, the server sends a challenge that is encrypted with that public key. Only the holder of the corresponding private key (the client) is able to decrypt it, so as you might have guessed, the correct response leads to successful authentication.

2.  How to use public key authentication

Generating your key pair

The first step is to create your key pair. To do this, we will use the ssh-keygen command as follows:

Code Listing 2.1: Generating the key pair

$ ssh-keygen -t dsa
(Just accept the default values, and make sure to enter a strong passphrase)

Warning: Be sure to choose a strong passphrase, especially if this key is used for root logons!

You should now have a private key in ~/.ssh/id_dsa and a public key in ~/.ssh/id_dsa.pub. We are ready to copy the public key over to the remote host.

Preparing the server

We will be copying the ~/.ssh/id_dsa.pub file over to the server that runs sshd. We will also be adding it to the ~/.ssh/authorized_keys file that belongs the connecting user on that server. Here's an example of how to do that if you already have ssh access to the server.

Code Listing 2.2: Copying the public key to the server

$ scp ~/.ssh/id_dsa.pub server_user@server:~/myhost.pub
$ ssh server_user@server "cat ~/myhost.pub >> ~/.ssh/authorized_keys"
$ ssh server_user@server "cat ~/.ssh/authorized_keys"

The output from that last line should show you the contents of the ~/.ssh/authorized_keys file. Make sure it looks correct.

Testing the setup

Theoretically, if all went well, and the ssh daemon on the server allows it, we should be able to get ssh access without a password on the server now. We will still need to decrypt the private key on the client with the passphrase we used before, but this should not be confused with the passphrase of the user account on the server.

Code Listing 2.3: Testing the keys

$ ssh server_user@server

Hopefully, it asked you for your passphrase for id_dsa, and you were able to gain ssh access as server_user on the server. If not, login as server_user, and verify the contents of ~/.ssh/authorized_keys to make sure each entry is on a single line. You might also want to check the sshd configuration to make sure that it prefers to use public key authorization when available.

At this point, you're probably thinking, "What's the point, I just replaced one password with another?!" Relax, the next section will show you exactly how we can use this to save your precious time.

3.  Making public key authentication convenient

Typical key management with ssh-agent

If you've been following along, you're probably thinking that it would be great if we could somehow decrypt our private key(s) once, and gain the ability to ssh freely, without any passwords. You are in luck, that is exactly what the program ssh-agent is for.

The program ssh-agent is usually started at the beginning of your X session, or from a shell startup script like ~/.bash_profile. It works by creating a unix-socket, and registering the appropriate environment variables so that all subsequent applications can take advantage of it's services by connecting to that socket. Clearly, it only makes sense to start it in the parent process of your X session if you want to use the set of decrypted private keys in all subsequent X applications.

Code Listing 3.1: Preparing ssh-agent

$ ssh-agent

Note: This ssh-agent will keep keys decrypted until you kill ssh-agent. If you want to set a lifetime for the keys, use the -t argument as described in man ssh-agent.

When you run ssh-agent, it should tell you the PID of the running ssh-agent, and also set a few environment variables, namely SSH_AUTH_SOCK and SSH_AGENT_PID. It should also automatically add ~/.ssh/id_dsa to it's collection and ask you for the corresponding passphrase. If you have other private keys you want to add to the running ssh-agent, you can use the ssh-add command as follows:

Code Listing 3.2: Adding more keys to ssh-agent

$ ssh-add somekeyfile

Now for the magic. Since you should now have your decrypted private key ready, you should be able to ssh into the server without entering any passwords.

Code Listing 3.3: Ssh without passwords

$ ssh server

It would be nice to know how to shut down ssh-agent in case you need to, right?

Code Listing 3.4: Shutting down ssh-agent

$ ssh-agent -k

Note: If you had problems getting ssh-agent to work, it might still be running. You can kill it like any other process by running killall ssh-agent.

If you want even more convenience from ssh-agent, proceed to the next section on using keychain. Be sure to kill the running ssh-agent as in the example above if you decide to do so.

Squeezing the last drop of convenience out of ssh-agent

Keychain will allow you to reuse an ssh-agent between logins, and optionally prompt for passphrases each time the user logs in. Before we get ahead of ourselves though, let's emerge it first.

Code Listing 3.5: Installing keychain

# emerge keychain

Assuming that was successful, we can now use keychain freely. Add the following to your ~/.bash_profile to enable it:

Code Listing 3.6: Enabling keychain in .bash_profile

keychain ~/.ssh/id_dsa
. ~/.keychain/$HOSTNAME-sh

Note: You can add more private keys to the command line as you desire. Also, if you want it to ask for passphrases each time you spawn a shell, add the --clear option.

Note: If you are not using bash, check the EXAMPLES section of man keychain for examples of use in other shells. The idea is to get those commands to run each time you use a shell.

Let's test it. First make sure we killed the ssh-agent from the previous section, then start up a new shell, usually by just logging in, or spawning a new terminal. It should prompt you for the password for each key you specified on the command line. All shells opened after that point should reuse the ssh-agent, allowing you to make passwordless ssh connections over and over.

Using keychain with KDE

If you are a KDE user, instead of using ~/.bash_profile, you can let KDE manage ssh-agent for you. In order to do so, you will have to edit /usr/kde/${KDE_VERSION}/env/agent-startup.sh, which is read during KDE's startup, and /usr/kde/${KDE_VERSION}/shutdown/agent-shutdown.sh, which is executed during KDE's shutdown, where ${KDE_VERSION} corresponds to the first two version components of your KDE installation. For example, if you are using KDE 3.5.1, here is how you could edit those files:

Code Listing 3.7: Editing /usr/kde/3.5/env/agent-startup.sh

if [ -x /usr/bin/ssh-agent ]; then
  eval "$(/usr/bin/ssh-agent -s)"
fi

Code Listing 3.8: Editing /usr/kde/3.5/shutdown/agent-shutdown.sh

if [ -n "${SSH_AGENT_PID}" ]; then
  eval "$(ssh-agent -k)"
fi

Now, all you have to do is launch a term of your choice, like Konsole, and load the keys you would like to use. For example:

Code Listing 3.9: Loading ssh key

keychain ~/.ssh/id_dsa
(Enter your key password)

Your keys will be remembered until you end your KDE session or kill the ssh-agent manually.

4.  Concluding remarks

Security considerations

Of course, the use of ssh-agent may add a bit of insecurity to your system. If another user were to use your shell while you were in the bathroom, he could login to all of your servers without passwords. As a result, it is a risk to the servers you are connecting to, and you should be sure to consult the local security policy. If you do use it, be sure to take the appropriate measures to ensure the security of your sessions.

Troubleshooting

Most of this should work pretty well, but if you encounter problems, you'll certainly want to know a few useful things.

  • If you are unable to connect without ssh-agent, consider using ssh with the arguments -vvv to find out what's happening. Sometimes the server is not configured to use public key authentication, sometimes it is configured to ask for local passwords anyway! If that is the case, you may want to also use the -o option with ssh, or change the server sshd_config.
  • If you are having problems with ssh-agent or keychain, it may be that you are not using a shell that understands the commands they use. Consult the man pages for ssh-agent and keychain for details on working with other shells.

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.


Print

Updated April 29, 2007

Summary: This document describes how to use ssh shared keys along with the keychain program. It assumes basic knowledge of public key cryptography.

Eric Brown
Author

Marcelo Góes
Editor

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Linux World Expo

Linux World Expo
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.