[nycbug-talk] ssh-agent and keychain

Brian Gupta brian.gupta at gmail.com
Fri Feb 8 14:50:00 EST 2008


On Feb 8, 2008 10:58 AM, Jeff Quast <af.dingo at gmail.com> wrote:

> I wrote something similar to keychain and keep it in some .profile's.
> It has worked on all ksh or bash machines i've been on so far. pgrep
> is needed, though you can hack around it.
>
> just remember to _LOCK_ your ssh agent when you're away, since your
> keys are loaded in memory. gnu/screen can be locked, too, if thats
> your poison, but it would be better to lock both. I had aliases like
> alias lock='ssh-add -x; xlock' or something like that. You can
> probobly get lost in thousands of lines of screen info pages to figure
> out how to make screen lock both your ssh keys and your gnu/screen
> with a new key-binding.
>
> Sorry of this script is redundant to the topic, but I noticed the
> referenced 'keychain',
> http://www.gentoo.org/proj/en/keychain/index.xml , is not available,
> as it says 'source tarballs available...' to a dead link. emerge and
> rpm only i guess. Typical gentoo/linux style to over-engineer and
> evolve into deprication while maintainers abandon ship.


I found a NetBSD package with this the Gentoo keychain script here:
http://pkgsrc.se/security/keychain
and a FreeBSD port here: http://www.freshports.org/security/keychain/
and a tarball here: http://www.net-security.org/software.php?id=239

I can also verify that "keychain" works on Solaris as well as Linux and BSD.

(I don't know how keychain compares to your script, but it does look good.)

(Frankly it's one of those things that just works, and I suspect once they
had it tested and working on most of the major platforms there was little
need for further development.)

# point to one or more ssh keys
> keys="$HOME/.ssh/rsa-key*"
>
> build_keychain() {
>        export keychain=$(ssh-add -l | awk '{ if ( $3 != "has") print $3
> }')
>        let numkeys=0
>        for k in $keychain; do let "numkeys++"; done
>        export numkeys
> }
>
> ison_keychain() {
>        for key in $keychain; do
>          [ X"$key" == X"$*" ] && return 0
>        done
>        return 1
> }
>
> if [ -o interactive ]; then
>        if [ X"${keys}" != X"" ]; then
>                # start agent if not running
>                pgrep -U $USER ssh-agent 1>/dev/null 2>&1
>                if [ $? -ne 0 ]; then
>                  rm -f $HOME/.ssh/agent.$(hostname) # remove stale socket
>                  eval `ssh-agent -s -a $HOME/.ssh/agent.$(hostname)`
>                fi
>
>                # export agent socket
>                [ -r $HOME/.ssh/agent.$(hostname) ] \
>                  && export SSH_AUTH_SOCK="$HOME/.ssh/agent.$(hostname)"
>
>                # add keys not on keychain
>                build_keychain
>                for add_key in $keys; do
>                  if [ -f $add_key ]; then
>                    ison_keychain "$add_key"
>                    [ $? -eq 1 ] && ssh-add $add_key
>                  fi
>                done
>
>                # echo number of keys in keychain
>                build_keychain
>                if [ X"$keychain" == X"" ]; then
>                        echo keychain is empty
>                else
>                        echo -n $numkeys key
>                        [ $numkeys -ge 2 ] && echo -n s
>                        echo ' in keychain'
>                fi
>        fi
>        # $back becomes IP of originating SSH connection, for instance,
>        # scp file $back:
>        back=$(echo $SSH_CONNECTION | awk -F[=\ ] '{ print $1 }')
>
>        if [ X"$keychain" != X"" ]; then
>                echo "SSH Forwarding of authentication agent enabled"
>                # cheap hack, (re-use 'wssh' hook from /etc/ksh.kshrc)
>                [ alias | awk -F "['\ ]" '/^ssh/{print $2}' ] \
>                  && alias ssh='wssh -A' \
>                  || alias ssh='ssh -A'
>        fi
> fi
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



-- 
- Brian Gupta

http://opensolaris.org/os/project/nycosug/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20080208/e74e2492/attachment.html>


More information about the talk mailing list