Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Secure and easy OpenSSH key management UNIX
Security is good and passwords are boring. I use RSA/DSA key authentication when I connect to my web servers via SSH and made a habit of not setting a password for the keys. This way I could connect without logging in. Very easy but not very secure if someone got their hands on my RSA/DSA keys.

Thanks to the article "OpenSSH key management" by Daniel Robbins, Part 1 and Part 2, I now have a secure *and* convenient setup.

The program that made the solution extra good is Keychain, by the author of the article. Install Keychain and then add the necessary lines to your login script.

Read the rest of this article for an example using the Bash shell...


I use Bash for my shell and have put the following lines in the ~/.bashrc file.

# Keychain is an OpenSSH key manager
# This will add my SSH1 and SSH2 key
/usr/local/bin/keychain ~/.ssh/identity ~/.ssh/id_dsa
source ~/.ssh-agent-${HOSTNAME}

# Alias to servers via SSH
alias ssh1='ssh userid1@domain.tld'
alias ssh2='ssh userid2@domain.tld'
alias ssh3='ssh userid2@domain.tld'
Now it's only after a reboot (very seldom in Mac OS X) that I need to enter the password to unlock my SSH keys. Normally I only enter "% ssh1" etc. and I'm connected to the remote server. Keychain and ssh-agent handle my passwords in a secure manner behind the scenes. You can, of course, use scp in the same manner.
    •    
  • Currently 1.25 / 5
  You rated: 1 / 5 (4 votes cast)
 
[43,253 views]  

Secure and easy OpenSSH key management | 4 comments | Create New Account
Click here to return to the 'Secure and easy OpenSSH key management' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
alternative to keychain
Authored by: lone mac on Mar 01, '02 09:12:29PM
Good post, frjo! An alternative which I came across and find a bit easier to use is Kevin Van Vechten's SSHAgentServices for Mac OS X. After having installed this executable as directed, all I need to do after booting up (or logging in) is to open a terminal window and type: ssh-add ~/.ssh/identity ~/.ssh/id_dsa After supplying the necessary passphrases, I can start an SSH session or SCP transfer from any terminal window without having to retype my passphrase!

[ Reply to This | # ]
Secure and easy OpenSSH key management
Authored by: leejoramo on Jul 11, '03 07:34:20PM
After much nashing of teeth and pulling of hair, I got the keychain to work. The current version of the keychain software has evolved beyond this suggestion or the documents that are linked to at IBM's developer works. keychain is now smart enough to work with different shells automatically.

The keychain program no longer makes the ~/.ssh-agent file to cache the keys, instead there is a ~/.keychain folder that includes files for use by different shell programs. I use tcsh as my shell so I added these lines to my .tcshrc file:
/usr/bin/keychain ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/identity
source ~/.keychain/YOURHOSTNAME-csh 
where YOURHOSTNAME will naturaly be what every is your systems name. I am documenting some of my progress with Mac OS X, ssh and the keychain at my blog.

Lee Joramo

[ Reply to This | # ]
Secure and easy OpenSSH key management
Authored by: sjk on Jul 12, '03 04:19:18PM

FYI, the links to your site won't work because of the freya.local hostname.



[ Reply to This | # ]
Secure and easy OpenSSH key management
Authored by: Lliwynd on Sep 05, '06 06:02:55AM
I just came across this program:

http://www.sshkeychain.org/

Which is like the keychain script mentioned above in that it is a front-end for ssh-agent. It has the advantage that it is written for MacOS X and integrates with Apple's keychain. It'll do things like load and unload keys based on whether your Apple keychain is unlocked, unload keys on sleep, etc.

[ Reply to This | # ]