Recipe 17.7. Better Passwordless Logins with keychain

17.7.1 Problem

ssh-agent is nice, but you still have to enter a passphrase with every new shell you open, and when you log out you have to start over. Also, ssh-agent doesn't enable passphraseless SSH transfers to work with cron.

17.7.2 Solution

First, set up your system to use ssh-agent. Then use keychain to keep your SSH passphrases alive, system-wide, until you reboot. keychain also makes it possible to run SSH transfers from cron.

Download and install keychain from the usual sources; it comes in RPMs, .debs, and sources. Then edit your local ~/.bash_profile, adding these lines:

keychain id_dsa

. ~/.keychain/$HOSTNAME-sh

Use the real name of your private key: id_rsa, my_own_groovy_key, whatever. Be sure to use the leading dot on the second line; this tells Bash to read the file named on the line.

That's all you have to do. Now when you log in to your local workstation, a keychain prompt will appear, asking for the passphrase of your key. keychain will handle authentications until the system reboots.

17.7.3 Discussion

You can name as many keys as you wish to use, like this:

keychain id_dsa  apache_key  ftp_key

You'll enter the passphrase for each one at system login. Then keychain will handle authentications as long as the system stays up, even if you log out and log back in a few times. When you restart the system, you start over.

A lot of documentation tells you to use null passphrases on keys generated for servers, to enable unattended reboots. The risk is that anyone who gets a copy of the private key will be able to easily misuse it. As always, you'll have to decide for yourself what balance of convenience and security is going to serve your needs.

17.7.4 See Also

• ssh(1), ssh-add(1), ssh-agent(1), keychain(1)

• SSH, The Secure Shell: The Definitive Guide