Hi, I'm Benedikt Deicke, and I'm a freelance web and software developer. I'm mainly building user focused web applications using Ruby on Rails and JavaScript. Additionally I'm currently studying for my master's degree and enjoying photography in my spare time. Feel free to get in touch with me, I'm available for hire!

March 29th, 2008
Easy SSH authentication with keychain

Typing SSH passwords again and again can be a real pain. For example: Lately I started to use Capistrano to deploy my rails applications. If I want to set up the maintenance-page on the server I’ll type cap deploy:web:disable which of course prompts me for the SSH password. Then I want to deploy my application with cap deploy and again will be prompted for the password. Finally I have to cap deploy:web:enable to remove the maintenance page which – as mindful readers might have guessed already – prompts for the password. This was just one reason for me to set up SSH authentication keys. At first I was a little worried that setting it up might be a bit complicated. Luckily I was disabused. If you want to switch to key based authentication too follow these simple steps:

Key generation

The first thing you need is – of course – a pair of keys: your private key and the associated public key. To generate both fire up our favorite shell (for me it’s bash) and type:

   1  ssh-keygen

This will generate both keys and ask you where to store it. Usually the default would be something like ~/.ssh/id_rsa. Simply accept the default by pressing return. Next you’ll have to enter a password for your key and confirm it. Afterwards you’ve to tell the server to accept your key on authentication. Do so by uploading the public key to the server.

   1  scp ~/.ssh/id_rsa.pub yourserver.com:~/.ssh/authenticated_keys2

If you want to add multiple keys, be sure to append it to the authenticated_keys2 file and don’t overwrite it.

First login

That’s all you have to do to switch to key based SSH authentication. Try to log in as usual by typing:

   1  ssh yourserver.com

This will prompt you for your key’s password and log you in to your server afterwards. “But wait! I’m still having to type my password every time I want to log in!” you shout, and you’re right – up to now. What you need to do is running ssh-agent, adding your key and typing your password. ssh-agent will then ask for the password and store it until you shut it down. You’ll have to do this everytime you open up a new shell or put the commands into your i.e. ~/.bash_profile. Quite comfortable but we can do better.

Keychain

There is a nice little tool called keychain that will smooth the process a little for you. It’s originally developed by the Gentoo people but it’s available on other linux distributions (as well as Mac OS X), too. Simply install it by typing your system’s equivalent to

   1  # Gentoo
   2  emerge keychain
   3  # Debian
   4  aptitude install keychain

and it’ll be available in no time. To set it up you need to put these two lines in our ~/.bash_profile:

   1  keychain ~/.ssh/id_rsa
   2  source ~/.keychain/$HOSTNAME-sh

That’s it. The first time you open up a shell keychain will start ssh-agent, prompt you for your keys password and remember the running ssh-agent for all new shells. On your next SSH authentication no more password typing is required. Wasn’t complicated at all, was it?

Update: Thanks to Michael for pointing out that the public key file is named id_rsa.pub instead of id_rsa. Fixed it.

Posted by benediktFiled in Articles, Linux
Bookmark and Share

1 Comments for “Easy SSH authentication with keychain”

  1. mk_michael mk_michael said on December 6th, 2008 at 08:44 AM:

    With debian / ubuntu you can use “ssh-keygen -t rsa”. The public key will be stored in ~/.ssh/id_rsa.pub and the private key in ~/.ssh/id_rsa

    So you need to scp the public key “id_rsa.pub”.

Leave a comment