Campuses:
If you use ssh's built in public-key/private-key passwordless authentication with an encrypted private key, you may find it annoying to enter the private key password in all the time. ssh-agent provides some releaf for the problem, but not to as far an extent as we would hope. So, the nice folks at IBM created keychain.
keychain runs the first time you open a prompt on a system, and remembers your private key password for you so you only have to enter it once per login session on your local machine. Further, we will setup ssh auth forwarding, so if you chain logins from remote systems in the physics/astronomy cluster, you still will not need to enter your password. All while still being very secure.
I will assume for this document you are using bash. If you are using tcsh you must adapt the instructions to its login scripts and such.
If you don't already have public/private key auth setup, use the following command to create one:
ssh-keygen -t rsa
When it prompts you for a password, enter one (different from your physics account password) to encrypt the key on disk. Save it in the default ~/.ssh/id_rsa location
After that, add your public key to the authorized_keys file:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
From this point, you should be able to try sshing to another system (physics.umn.edu for example) and will be prompted for your new rsa private key password, instead of your account password. Make sure this is working before you continue.
Add the following to your ~/.bashrc file: <xterm> # Clear existing broken ssh-agent environment # if [ ! -f “${SSH_AUTH_SOCK}” ] ; then
export SSH_AUTH_SOCK=""
fi
# if ssh auth forwarding is enabled, use it and dont start keychain if [ “${SSH_AUTH_SOCK}x" == "x" ] && [ "$UID” != “0” ] ; then
if [ -x /usr/bin/keychain ] ; then /usr/bin/keychain -q -Q --lockwait 1 ~/.ssh/id_rsa if [ -f ~/.keychain/$HOSTNAME-sh ] ; then source ~/.keychain/$HOSTNAME-sh fi fi
fi
# If we have ssh-agent running, forward it to the next host, # otherwise dont try to use key authentication at all. if [ “${SSH_AUTH_SOCK}x” == “x” ]; then
# if we dont have an auth sock, dont use pub key identification alias ssh='ssh -o PubkeyAuthentication=no'
else
# We do have an auth sock, use auth forwarding alias ssh='ssh -A'
fi
</xterm>
Then, make sure your ~/.bash_profile contains the following:
source ~/.bashrc
Now if you log out and back in to x, you should get prompted the first time you open a command shell for your private key. After that you can ssh anywhere and through multiple systems without being asked your password again. (you may have to kill ssh-agent and then restart x for changes to take effect)