[nycbug-talk] ssh-agent and keychain

Jeff Quast af.dingo at gmail.com
Fri Feb 8 10:58:21 EST 2008 

I wrote something similar to keychain and keep it in some .profile's.
It has worked on all ksh or bash machines i've been on so far. pgrep
is needed, though you can hack around it.

just remember to _LOCK_ your ssh agent when you're away, since your
keys are loaded in memory. gnu/screen can be locked, too, if thats
your poison, but it would be better to lock both. I had aliases like
alias lock='ssh-add -x; xlock' or something like that. You can
probobly get lost in thousands of lines of screen info pages to figure
out how to make screen lock both your ssh keys and your gnu/screen
with a new key-binding.

Sorry of this script is redundant to the topic, but I noticed the
referenced 'keychain',
http://www.gentoo.org/proj/en/keychain/index.xml , is not available,
as it says 'source tarballs available...' to a dead link. emerge and
rpm only i guess. Typical gentoo/linux style to over-engineer and
evolve into deprication while maintainers abandon ship.

# point to one or more ssh keys
keys="$HOME/.ssh/rsa-key*"

build_keychain() {
        export keychain=$(ssh-add -l | awk '{ if ( $3 != "has") print $3 }')
        let numkeys=0
        for k in $keychain; do let "numkeys++"; done
        export numkeys
}

ison_keychain() {
        for key in $keychain; do
          [ X"$key" == X"$*" ] && return 0
        done
        return 1
}

if [ -o interactive ]; then
        if [ X"${keys}" != X"" ]; then
                # start agent if not running
                pgrep -U $USER ssh-agent 1>/dev/null 2>&1
                if [ $? -ne 0 ]; then
                  rm -f $HOME/.ssh/agent.$(hostname) # remove stale socket
                  eval `ssh-agent -s -a $HOME/.ssh/agent.$(hostname)`
                fi

                # export agent socket
                [ -r $HOME/.ssh/agent.$(hostname) ] \
                  && export SSH_AUTH_SOCK="$HOME/.ssh/agent.$(hostname)"

                # add keys not on keychain
                build_keychain
                for add_key in $keys; do
                  if [ -f $add_key ]; then
                    ison_keychain "$add_key"
                    [ $? -eq 1 ] && ssh-add $add_key
                  fi
                done

                # echo number of keys in keychain
                build_keychain
                if [ X"$keychain" == X"" ]; then
                        echo keychain is empty
                else
                        echo -n $numkeys key
                        [ $numkeys -ge 2 ] && echo -n s
                        echo ' in keychain'
                fi
        fi
        # $back becomes IP of originating SSH connection, for instance,
        # scp file $back:
        back=$(echo $SSH_CONNECTION | awk -F[=\ ] '{ print $1 }')

        if [ X"$keychain" != X"" ]; then
                echo "SSH Forwarding of authentication agent enabled"
                # cheap hack, (re-use 'wssh' hook from /etc/ksh.kshrc)
                [ alias | awk -F "['\ ]" '/^ssh/{print $2}' ] \
                  && alias ssh='wssh -A' \
                  || alias ssh='ssh -A'
        fi
fi

More information about the talk mailing list