Gentoo - keychain setup

By: John McFarlane <john.mcfarlane@rockfloat.com>
Last updated: 08/04/2007 @11:01

Abstract:
This document will go thru a step by step setup of keychain on gentoo linux. Keychain is used to help make ssh issues more simple by remembering your passwords for you.



top

1. Install some needed packages


root# emerge keychain
You could emerge gtk2-ssh-askpass if you want to graphically be prompted for your passphrase rather than via your shell.
I'm finished with this step

top

2. Create public and private keys

You will need ssh keys that are used to allow ssh access in a secure fashion. You will want to pick a secure password for these things. 

user# ssh-keygen -t rsa  # Follow the prompts
Now you need to create an authorized_keys file to be used on every computer you will want to ssh to 

user# cd ~/.ssh
user# cat id_rsa.pub >> authorized_keys
Now copy this file to the machines you want access to 

user# scp authorized_keys USER@HOST:.ssh/authorized_keys
I'm finished with this step

top

3. Setup bash profile to use keychain

Edit your ~/.bash_profile file and add the following near the top (I put this above the .bashrc include (the HOSTNAME below is literal by the way, cut and paste directly): 

keychain ~/.ssh/id_rsa
. ~/.keychain/${HOSTNAME}-sh
If you happen to have a conditional statement in your .bashrc that checks for a non-interactive shell be sure to add keychain there too, being sure to use the --quiet switch: 

# Test for an interactive shell.  There is no need to set anything
# past this point for scp and rcp, and it's important to refrain from
# outputting anything in those cases.
if [[ $- != *i* ]] ; then
    # Use keychain:
    keychain --quiet ~/.ssh/id_rsa
    . ~/.keychain/${HOSTNAME}-sh

    # Shell is non-interactive.  Be done now!
    return
fi
Now everytime you open a console up, you will see keychain startup. Note that the first time Keychain runs it will prompt for the password you used in your rsa key. Go ahead and close your gnome-terminal or whatever and open it back up again... and enter your password.
I'm finished with this step

top

4. Try it out!

You should now be able to ssh to the particular host without having to enter a password. Nicely done!
I'm finished with this step

top

5. Attention cron users, you're not done yet

If you use crontab, you will need to modify your scripts a bit in order for your ssh-agent to be available via crontab. There are probably several ways of doing this, and I really don't know if this is a security no-no, but the following works for me.

At the top of my personal bash files called by crontab, I source my profile like so: 

#!/bin/bash
 
source ~/.bash_profile
# Doo something
I have not tested to see if the above will work if you reference a user's profile with root's crontab. but it works nicely for a normal user's crontab. Oh, and for those of you who get permission denied when trying to add a personal crontab, the key is to add the normal user to the cron group via gpasswd.

Good luck!
I'm finished with this step

Changelog: Date Description
07/16/2004 @21:00 Added info for gnome users
06/24/2007 @22:48 Remove gnomerc change; add use of --quiet for non-interactive shells; remove some cruft; use gpasswd rather than vigr
08/04/2007 @11:01 Removed dsa keys

This document was originally created on 07/16/2004


Disclaimer:
This page is not endorsed by gentoo.org or any other cool cats. Any information provided in this document is to be used at your own risk.