CentOS Linux: Install Keychain Manager For SSH-agent
This post will guide you how to install keychain manager for ssh-agent in y our Linux system.
What is Keychain?
keychain – re-use ssh-agent and/or gpg-agent between logins
Synopsis
keychain [ -hkQqV ] [ --clear --help --ignore-missing --noask --nocolor --nogui --nolock --quick --quiet --version ] [ --agents list ] [ --attempts num ] [ --dir dirname ] [ --host name ] [ --lockwait seconds ] [ --stop which ] [ --timeout minutes ] [ keys... ]
Description
keychain is a manager for ssh-agent, typically run from ~/.bash_profile. It allows your shells and cron jobs to share a single ssh-agent process. By default, the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system. If you want to change this behavior, take a look at the –clear and –timeout options, described below.
When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/${ HOSTNAME }-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. In addition, when keychain runs, it verifies that the key files specified on the command-line are known to ssh-agent, otherwise it loads them, prompting you for a password if necessary.
Keychain also supports gpg-agent in the same ways that ssh-agent is supported. By default keychain attempts to start all available agents but will fall back to only gpg-agent or only ssh-agent if either is unavailable. You can specifically limit keychain using the –agents option.
keychain supports most UNIX-like operating systems, including Cygwin. It works with Bourne-compatible, csh-compatible and fish shells.
Install keychain in CentOS Linux
You need to install the keychain package firstly. Do the following steps:
#1 enable psychotic repo, type the following command:
# rpm --import http://wiki.psychotic.ninja/RPM-GPG-KEY-psychotic
#2 install psychotic package
#rpm -ivh http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm
Outputs:
[root@devops ~]# rpm -ivh http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm Retrieving http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm Preparing... ################################# [100%] Updating / installing... 1:psychotic-release-1.0.0-1.el6.psy################################# [100%] #3 install keychain package using yum command, type: # yum --enablerepo=psychotic install keychain Outputs: [root@devops ~]# yum --enablerepo=psychotic install keychain Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.ustc.edu.cn * extras: mirrors.huaweicloud.com * updates: mirrors.aliyun.com psychotic | 2.9 kB 00:00 psychotic/7/x86_64/primary_db | 70 kB 00:02 Resolving Dependencies --> Running transaction check ---> Package keychain.noarch 0:2.8.0-3.el7.psychotic will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: keychain noarch 2.8.0-3.el7.psychotic psychotic 44 k Transaction Summary ================================================================================ Install 1 Package Total download size: 44 k Installed size: 97 k Is this ok [y/d/N]: y Downloading packages: keychain-2.8.0-3.el7.psychotic.noarch.rpm | 44 kB 00:02 Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : keychain-2.8.0-3.el7.psychotic.noarch 1/1 Verifying : keychain-2.8.0-3.el7.psychotic.noarch 1/1 Installed: keychain.noarch 0:2.8.0-3.el7.psychotic Complete!
#4 generate SSH keys
Type the following command:
# ssh-keygen –t rsa
Outputs:
[root@devops ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:pHc9wiRYzts96nImi5AJIywtC5SifIwd37B/r/3AO1E root@devops The key's randomart image is: +---[RSA 2048]----+ | . | | . = | |.o . .. = . | |*.+ o +o * o E | |*+++ o..S = * | |o+.o o.. ..+ o | |. + . ..o. | | . .+.=.o | | . .Bo+o. | +----[SHA256]-----+
#5 update .bash_profile in your home directory
Added the below line into this file:
/usr/bin/keychain $HOME/.ssh/id_dsa source $HOME/.keychain/$HOSTNAME-sh
Keychain Examples
This snippet should work in any shell to load two ssh keys and one gpg key:
eval `keychain --eval id_rsa id_dsa 0123ABCD`
If you have trouble with that in csh:
setenv SHELL /bin/csh eval `keychain --eval id_rsa id_dsa 0123ABCD`
This is equivalent for Bourne shells (including bash and zsh) but doesn’t use keychain’s –eval feature:
keychain id_rsa id_dsa 0123ABCD [ -z "$HOSTNAME" ] && HOSTNAME=`uname -n` [ -f $HOME/.keychain/$HOSTNAME-sh ] && \ . $HOME/.keychain/$HOSTNAME-sh [ -f $HOME/.keychain/$HOSTNAME-sh-gpg ] && \ . $HOME/.keychain/$HOSTNAME-sh-gpg
This is equivalent for C shell (including tcsh):
keychain id_rsa id_dsa 0123ABCD host=`uname -n` if (-f $HOME/.keychain/$host-csh) then source $HOME/.keychain/$host-csh endif if (-f $HOME/.keychain/$host-csh-gpg) then source $HOME/.keychain/$host-csh-gpg endif
To load keychain variables from a script (for example from cron) and abort unless id_dsa is available:
# Load keychain variables and check for id_dsa [ -z "$HOSTNAME" ] && HOSTNAME=`uname -n` . $HOME/.keychain/$HOSTNAME-sh 2>/dev/null ssh-add -l 2>/dev/null | grep -q id_dsa || exit 1