Ubuntu / Debian Linux Server Install Keychain SSH Key Manager For OpenSSH

Posted on in Categories , , , last updated September 24, 2017

I do not want to start ssh-agent and ssh-add as described here to manage my ssh keys for password less login. How do I install keychain software to manage my keys running on a Debian or Ubuntu based cloud server?

OpenSSH offers RSA and DSA authentication to remote systems without supplying a password. keychain is a manager for ssh-agent. The ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system. However, you can control this behavior. This is useful for your shells and cron jobs for backups to easily share a single ssh-agent process. From the man page:

When keychain is run, it checks for a running ssh-agent, otherwise it starts one. It saves the ssh-agent environment variables to ~/.keychain/${HOSTNAME}-sh, so that subsequent logins and non-interactive shells such as cron jobs can source the file and make passwordless ssh connections. Keychain supports most UNIX-like operating systems, including Cygwin. It works with Bourne-compatible, csh-compatible and fish shells.

Installing keychain for Debian and friends

You can install keychain the key manager for OpenSSH using the apt-get from the command line over an ssh session for cloud based instance or any other regular vps or dedicated server. Type the following apt-get command or apt command as root user:
$ sudo apt-get install keychain
OR
# apt-get install keychain
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  ssh-askpass
The following NEW packages will be installed:
  keychain
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 38.4 kB of archives.
After this operation, 85.0 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch/main amd64 keychain all 2.8.2-0.1 [38.4 kB]
Fetched 38.4 kB in 0s (179 kB/s)
Selecting previously unselected package keychain.
(Reading database ... 24724 files and directories currently installed.)
Preparing to unpack .../keychain_2.8.2-0.1_all.deb ...
Unpacking keychain (2.8.2-0.1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up keychain (2.8.2-0.1) ...

How do I set up public key authentication?

First, create a directory called $HOME/.ssh/ using the mkdir command:
$ mkdir $HOME/.ssh/
$ chmod 0700 $HOME/.ssh/

Type any one of the following command to to generate your public and private keys in $HOME/.ssh/ directory using RSA (or any other type of key) encryption:
$ ssh-keygen
OR
$ ssh-keygen -t rsa -b 2048
OR
$ ssh-keygen -t rsa
Assign the pass phrase when prompted. You should see two new files in $HOME/.ssh/ directory:

  1. $HOME/.ssh/id_rsa – contains your private key.
  2. $HOME/.ssh/id_rsa.pub – contain your public key.

Sample sessions from above commands:

Animated gif -01: SSH Set Up Public Key Authentication Demo
Animated gif -01: SSH Set Up Public Key Authentication Demo

Use the scp or ssh-copy-id command to copy your public key file (e.g., $HOME/.ssh/id_rsa.pub) to your account on the remote server/host (e.g., [email protected]). To do so, enter:
## [ warning this will overwrite existing file on the remote box ] ##
$ scp $HOME/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys

It is better to use the ssh-copy-id command to copy or append locally available keys to authorise logins on a remote box:
$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]

Configure keychain

You need to edit a file called $HOME/.bashrc or ~/.bash_profile using a text editor such as vi, run:
$ vi $HOME/.bashrc
OR
$ vi $HOME/.bash_profile
Add/append the following lines:

#####################################################################################
### The --clear option make sure Intruder cannot use your existing SSH-Agents keys 
### i.e. Only allow cron jobs to use password less login 
#####################################################################################
/usr/bin/keychain --clear $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

OR

###########################################################################
# allow $USER to use keys. Only enter once and it will remain enabled till
# you delete it or reboot the server 
###########################################################################
/usr/bin/keychain $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

When you login, you will see the keychain managers as follows so that your shells and cron jobs can share a single ssh-agent process:

Keychain in action
Keychain in action

How do I test passwordless login?

Try login to your remote server:
$ ssh [email protected]
$ ssh [email protected]
$ ssh [email protected] uptime
$ scp filename [email protected]:/path/to/dest

Or use bash for loop for testing password less login:

for i in cbz0{1..4} gfs0{1..4}
do
 ssh $i uptime
done

Sample outputs:

 12:48:54 up 32 days, 15:40,  1 user,  load average: 0.12, 0.13, 0.09
 12:48:54 up 32 days, 15:39,  0 users,  load average: 0.04, 0.06, 0.01
 12:48:54 up 32 days, 15:40,  0 users,  load average: 0.01, 0.03, 0.00
 12:48:54 up 34 days, 20:11,  0 users,  load average: 0.25, 0.09, 0.02
 12:48:55 up 34 days, 20:15,  0 users,  load average: 0.00, 0.01, 0.00
 12:48:55 up 34 days, 20:09,  0 users,  load average: 0.02, 0.04, 0.00
 12:48:55 up 34 days, 20:05,  0 users,  load average: 0.02, 0.06, 0.04
 12:48:56 up 34 days, 19:58,  0 users,  load average: 0.00, 0.00, 0.00
See also

See the following man pages for more information:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on (or read 3 comments/add one below):

3 comment

  1. I get a warning that it can’t find id_rsa. I’m not sure what this is or if it is supposed to be setup by the install, or manually somehow. Can you comment?

    Also I think:
    mangeras = managers,

Leave a Comment