CentOS Linux: Install Keychain Manager For SSH-agent

This post will guide you how to install keychain manager for ssh-agent in y our Linux system.

What is Keychain?


keychain – re-use ssh-agent and/or gpg-agent between logins
Synopsis

keychain [ -hkQqV ] [ --clear --help --ignore-missing --noask --nocolor --nogui --nolock --quick --quiet --version ] [ --agents list ] [ --attempts num ] [ --dir dirname ] [ --host name ] [ --lockwait seconds ] [ --stop which ] [ --timeout minutes ] [ keys... ]

Description

keychain is a manager for ssh-agent, typically run from ~/.bash_profile. It allows your shells and cron jobs to share a single ssh-agent process. By default, the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system. If you want to change this behavior, take a look at the –clear and –timeout options, described below.

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/${ HOSTNAME }-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.

Keychain also supports gpg-agent in the same ways that ssh-agent is supported. By default keychain attempts to start all available agents but will fall back to only gpg-agent or only ssh-agent if either is unavailable. You can specifically limit keychain using the –agents option.
keychain supports most UNIX-like operating systems, including Cygwin. It works with Bourne-compatible, csh-compatible and fish shells.

Install keychain in CentOS Linux


You need to install the keychain package firstly. Do the following steps:

#1 enable psychotic repo, type the following command:

# rpm --import http://wiki.psychotic.ninja/RPM-GPG-KEY-psychotic

#2 install psychotic package

#rpm -ivh http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm

Outputs:

[root@devops ~]# rpm -ivh http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm
Retrieving http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm
Preparing... ################################# [100%]
Updating / installing...
1:psychotic-release-1.0.0-1.el6.psy################################# [100%]
#3 install keychain package using yum command, type:
# yum --enablerepo=psychotic install keychain
Outputs:
[root@devops ~]# yum --enablerepo=psychotic install keychain
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: mirrors.huaweicloud.com
* updates: mirrors.aliyun.com
psychotic | 2.9 kB 00:00
psychotic/7/x86_64/primary_db | 70 kB 00:02
Resolving Dependencies
--> Running transaction check
---> Package keychain.noarch 0:2.8.0-3.el7.psychotic will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
keychain noarch 2.8.0-3.el7.psychotic psychotic 44 k

Transaction Summary
================================================================================
Install 1 Package

Total download size: 44 k
Installed size: 97 k
Is this ok [y/d/N]: y
Downloading packages:
keychain-2.8.0-3.el7.psychotic.noarch.rpm | 44 kB 00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : keychain-2.8.0-3.el7.psychotic.noarch 1/1
Verifying : keychain-2.8.0-3.el7.psychotic.noarch 1/1

Installed:
keychain.noarch 0:2.8.0-3.el7.psychotic

Complete!

#4 generate SSH keys

Type the following command:

# ssh-keygen –t rsa

Outputs:

[root@devops ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:pHc9wiRYzts96nImi5AJIywtC5SifIwd37B/r/3AO1E root@devops
The key's randomart image is:
+---[RSA 2048]----+
| . |
| . = |
|.o . .. = . |
|*.+ o +o * o E |
|*+++ o..S = * |
|o+.o o.. ..+ o |
|. + . ..o. |
| . .+.=.o |
| . .Bo+o. |
+----[SHA256]-----+

#5 update .bash_profile in your home directory

Added the below line into this file:

/usr/bin/keychain $HOME/.ssh/id_dsa
source $HOME/.keychain/$HOSTNAME-sh

Keychain Examples


This snippet should work in any shell to load two ssh keys and one gpg key:

eval `keychain --eval id_rsa id_dsa 0123ABCD`

If you have trouble with that in csh:

setenv SHELL /bin/csh
eval `keychain --eval id_rsa id_dsa 0123ABCD`

This is equivalent for Bourne shells (including bash and zsh) but doesn’t use keychain’s –eval feature:

keychain id_rsa id_dsa 0123ABCD
[ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
[ -f $HOME/.keychain/$HOSTNAME-sh ] && \
. $HOME/.keychain/$HOSTNAME-sh
[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ] && \
. $HOME/.keychain/$HOSTNAME-sh-gpg

This is equivalent for C shell (including tcsh):

keychain id_rsa id_dsa 0123ABCD
host=`uname -n`
if (-f $HOME/.keychain/$host-csh) then
source $HOME/.keychain/$host-csh
endif
if (-f $HOME/.keychain/$host-csh-gpg) then
source $HOME/.keychain/$host-csh-gpg
endif

To load keychain variables from a script (for example from cron) and abort unless id_dsa is available:

# Load keychain variables and check for id_dsa
[ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
. $HOME/.keychain/$HOSTNAME-sh 2>/dev/null
ssh-add -l 2>/dev/null | grep -q id_dsa || exit 1

 

You might also like:

Sidebar



back to top