[nycbug-talk] ssh-agent and keychain

Steven Kreuzer skreuzer at exit2shell.com
Thu Feb 7 12:58:20 EST 2008

Last night, during Ike's talk about ssh-agent, a helper script that
wraps around it called keychain was brought up.
( http://www.gentoo.org/proj/en/keychain/index.xml )

I have been using keychain since around July and basically forgot the
problems I encountered that caused me to set this up. i went back to my
notes and bookmarks and in case anyone is interested, here is a rough

The issue I had was that on any given day, I need to do work on
thousands of machines spread out all over the world. my company's
corporate and production networks are kept seperate for an additional
layer of security.  as a result, I am forced to first jump thorugh a
proxy server, which is just a machine running ssh that only allows
connections from folks that need access to the production network.

Since its a pain to have to keep bouncing through one box to get to
another, I setup GNU screen on the proxy server. I login in the morning,
start screen, and every time I need to connect to a new host I simply
hit ctrl-a, a to create a new terminal and do what I need to do.

I would load all my keys into memory using ssh-agent so I could log into
boxes sans password, but ssh-agent has a few limitations based on my

Before, I had eval `ssh-agent` in my .kshrc, so every time I could
create a new screen terminal, a new instance of ssh-agent would be
started and it would prompt me for the password for my keys. This was
kinda wasetful and annoying.

Enter keychain. In my .kshrc, I have the following:

~/bin/keychain --agents ssh -q ~/.ssh/identity source

When I first login in the morning, It will load all my keys into memory.
Then I start screen, and for each new terminal I start under screen, my
.kshrc is sourced, and the keychain script is executed, but sees that I
already have a ssh-agent session going so it exists and then sources all
the ssh variables from ~/.keychain/$(hostname)-sh

Thats about it. Hopefully that clears up any questions anyone had about
keychain. If not, post them here and I will do my best to answer them.

In addition, IBM developerWorks had a 3 part tutorial on OpenSSH key
management that also has a blurb about keychain.

Part 1: http://www.ibm.com/developerworks/linux/library/l-keyc.html
Part 2: http://www.ibm.com/developerworks/linux/library/l-keyc2/
Part 3: http://www.ibm.com/developerworks/linux/library/l-keyc3/

Steven Kreuzer

More information about the talk mailing list