14

I have set up a password-less setup for ssh that uses public key authentication to connect with desired remote server, everything has been working quite well.

I'm using passphrase to unlock the private key, using this solution— the problem is it asks password everytime I start my system.

I found this to be troublesome, I want to enter it only once and for all so the next time I boot up the session I won't have to enter it again, is there something like cached key that holds up my passphrase and works across session (also survive a reboot) ?

Would it be possible to achieve all of this whilst keeping my ssh passphrase intact ?

Liso
  • 15,677

3 Answers3

25

You want to use keychain.

The keychain program manages an instance of the key cache program ssh-agent. When ssh-agent is started, two environment variables are created to be eval'd. Normally when the shell is closed where ssh-agent has been started, those environment variables are lost. The keychain program keeps track of those variables across logins and provides shell scripts in the ~\.keychain directory.

There are several ways to run keychain, one method is manually from the command line. Each time you start the shell, use:

eval `keychain --eval`

This will find ssh-agent if it's running, and start it if it's not. Either way, using eval on keychain will set the necessary environment variables where you can add keys using:

ssh-add <private-keyfile>

If private-keyfile has a password, you will be prompted to enter that password during the execution of ssh-add, but as long as ssh-agent is running that will be the last time you need to enter the password for the private key.

Because the eval of keychain sets the SSH_AUTH_SOCK environment variable, any run of ssh will use the ssh-agent to accomplish the authentication.

Another suggestion is to add the keychain execution to your .bashrc file, as suggested in this StackExchange answer.

To terminate keychain just enter the command:

keychain --stop mine

or if you want to bring down all the instances of ssh-agent, enter the command:

keychain --stop all

Just a note, using services such as ssh-agent defeat the security of passworded private key files by storing those authenticated keys in memory. This is not safe, especially with memory side-channel attacks. If you're not interested in key security, the simpler solution is to remove the password on the private key as suggested by @vidarlo.

John J.
  • 416
  • 3
  • 5
8

Run ssh-keygen -p. This will allow you to remove the passphrase set on the key. If no passphrase is set, it's stored in clear text, and you can use it without unlocking it:

$ ssh-keygen -p 
Enter file in which the key is (/home/user/.ssh/id_rsa): 
Enter old passphrase: 
Key has comment ''
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

Simply press enter when prompted for passphrase to set no passphrase. After that, you can use your key freely.

vidarlo
  • 23,497
8

Simple answer is No.
That defeats the purpose (i.e. protection) if it's sustained across reboots.
You can however sustain it across login sessions and even across multiple terminals.

  • If you want to sustain across login sessions but are OK to enter password once per terminal, then add eval $(ssh-add) to to .bash_profile

  • If you want to do it once per system reboot, the install keychain, change your ~/.ssh/config file to add keys to the keychain (AddKeysToAgent yes) and do the above step as well.

Liso
  • 15,677
xrplorer
  • 149
  • 2