Ubuntu / Debian Linux Server Install Keychain SSH Key Manager For OpenSSH

by on October 19, 2012 · 3 comments· LAST UPDATED March 10, 2014

in , ,

I do not want to start ssh-agent and ssh-add as described here to manage my ssh keys for password less login. How do I install keychain software to manage my keys running on a Debian or Ubuntu based cloud server?

OpenSSH offers RSA and DSA authentication to remote systems without supplying a password. keychain is a manager for ssh-agent.
Tutorial details
DifficultyEasy (rss)
Root privilegesYes
RequirementsDebian/Ubuntu
Estimated completion time5m
The ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system. However, you can control this behavior.

Installing keychain for Debian and friends

You can install keychain the key manager for OpenSSH using the apt-get from the command line over an ssh session for cloud based instance or any other regular vps or dedicated server. Type the following apt-get command as root user:
$ sudo apt-get install keychain
OR
# apt-get install keychain
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'apt-get autoremove' to remove them.
Suggested packages:
  gnupg-agent ssh-askpass
The following NEW packages will be installed:
  keychain
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 32.3 kB of archives.
After this operation, 118 kB of additional disk space will be used.
Get:1 http://mirrors.service.networklayer.com/ubuntu/ precise/universe keychain all 2.7.1-1 [32.3 kB]
Fetched 32.3 kB in 0s (1,633 kB/s)
Selecting previously unselected package keychain.
(Reading database ... 47427 files and directories currently installed.)
Unpacking keychain (from .../keychain_2.7.1-1_all.deb) ...
Processing triggers for man-db ...
Setting up keychain (2.7.1-1) ...

How do I set up public key authentication?

First, create a directory called $HOME/.ssh/ using the mkdir command:
$ mkdir $HOME/.ssh/
$ chmod 0700 $HOME/.ssh/

Type any one of the following command to to generate your public and private keys in $HOME/.ssh/ directory using RSA encryption:
$ ssh-keygen
OR
$ ssh-keygen -t rsa -b 2048
OR
$ ssh-keygen -t rsa
Assign the pass phrase when prompted. You should see two new files in $HOME/.ssh/ directory:

  1. $HOME/.ssh/id_rsa - contains your private key.
  2. $HOME/.ssh/id_rsa.pub - contain your public key.

Sample sessions from above commands:

Animated gif -01: SSH Set Up Public Key Authentication Demo

Animated gif -01: SSH Set Up Public Key Authentication Demo


Use scp or ssh-copy-id command to copy your public key file (e.g., $HOME/.ssh/id_rsa.pub) to your account on the remote server/host (e.g., nixcraft@server1.cyberciti.biz). To do so, enter:
$ scp $HOME/.ssh/id_rsa.pub nixcraft@server1.cyberciti.biz:~/.ssh/authorized_keys
OR
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub nixcraft@server1.cyberciti.biz

Configure keychain

You need to edit a file called $HOME/.bashrc or ~/.bash_profile using a text editor such as vi, run:
$ vi $HOME/.bashrc
OR
$ vi $HOME/.bash_profile
Add/append the following lines:

 
#####################################################################################
### The --clear option make sure Intruder cannot use your existing SSH-Agents keys 
### i.e. Only allow cron jobs to use password less login 
#####################################################################################
/usr/bin/keychain --clear $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh
 

OR

 
###########################################################################
# allow $USER to use keys. Only enter once and it will remain enabled till
# you delete it or reboot the server 
###########################################################################
/usr/bin/keychain $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh
 

When you login, you will see the keychain managers as follows so that your shells and cron jobs can share a single ssh-agent process:

Keychain in action

Keychain in action

How do I test passwordless login?

Try login to your remote server:
$ ssh user@remote-box-name-here
$ ssh nixcraft@server1.cyberciti.biz
$ ssh nixcraft@server1.cyberciti.biz uptime
$ scp filename nixcraft@server1.cyberciti.biz:/path/to/dest

See also

See the following man pages for more information:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 Jer February 12, 2013 at 12:07 am

Just a small correction: I think it’s better served going into .bash_profile, per http://manpages.ubuntu.com/manpages/lucid/man1/keychain.1.html

Reply

2 Jeff February 26, 2014 at 6:10 pm

I get a warning that it can’t find id_rsa. I’m not sure what this is or if it is supposed to be setup by the install, or manually somehow. Can you comment?

Also I think:
mangeras = managers,

Reply

3 Nix Craft February 27, 2014 at 7:42 am

You need to create id_rsa and id_rsa.pub files. The page has been updated to include instructions. I appreciate your feedback and post.

I hope this was helps!

Reply

Leave a Comment

Tagged as: , , , , , ,

Previous Faq:

Next Faq: