Go to the U of M home page
School of Physics & Astronomy
Physics & Astronomy Wiki


Using keychain with SSH

If you use ssh's built in public-key/private-key passwordless authentication with an encrypted private key, you may find it annoying to enter the private key password in all the time. ssh-agent provides some releaf for the problem, but not to as far an extent as we would hope. So, the nice folks at IBM created keychain.


keychain runs the first time you open a prompt on a system, and remembers your private key password for you so you only have to enter it once per login session on your local machine. Further, we will setup ssh auth forwarding, so if you chain logins from remote systems in the physics/astronomy cluster, you still will not need to enter your password. All while still being very secure.

I will assume for this document you are using bash. If you are using tcsh you must adapt the instructions to its login scripts and such.

Working keys

If you don't already have public/private key auth setup, use the following command to create one:

ssh-keygen -t rsa

When it prompts you for a password, enter one (different from your physics account password) to encrypt the key on disk. Save it in the default ~/.ssh/id_rsa location

After that, add your public key to the authorized_keys file:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

From this point, you should be able to try sshing to another system (physics.umn.edu for example) and will be prompted for your new rsa private key password, instead of your account password. Make sure this is working before you continue.


Add the following to your ~/.bashrc file:

# Clear existing broken ssh-agent environment
if [ ! -f "${SSH_AUTH_SOCK}" ] ; then
  export SSH_AUTH_SOCK=""

# if ssh auth forwarding is enabled, use it and dont start keychain
if [ "${SSH_AUTH_SOCK}x" == "x" ] && [ "$UID" != "0" ] ; then
    if [ -x /usr/bin/keychain ] ; then
       /usr/bin/keychain -q -Q --lockwait 1 ~/.ssh/id_rsa
       if [ -f ~/.keychain/$HOSTNAME-sh ] ; then
          source ~/.keychain/$HOSTNAME-sh

# If we have ssh-agent running, forward it to the next host,
# otherwise dont try to use key authentication at all.
if [ "${SSH_AUTH_SOCK}x" == "x" ]; then
    # if we dont have an auth sock, dont use pub key identification
    alias ssh='ssh -o PubkeyAuthentication=no'
    # We do have an auth sock, use auth forwarding
    alias ssh='ssh -A'

Then, make sure your ~/.bash_profile contains the following:

source ~/.bashrc

Now if you log out and back in to x, you should get prompted the first time you open a command shell for your private key. After that you can ssh anywhere and through multiple systems without being asked your password again. (you may have to kill ssh-agent and then restart x for changes to take effect)

computing/department/unix/ssh_keychain.txt · Last modified: 2008/07/24 09:59 by rubin