On 02/11/06, Will McDonald <wmcdonald at gmail.com> wrote: > Guys, I wonder if anyone can give me any pointers here, I hope it's > CentOS related enough not to be too off topic, if it is then > apologies. Thanks to Marc and Ingimar for their suggestions, I think we've cracked it. When Keychain runs it prompts the user for their private key password then stores the ssh-agent information away in ~/.keychain/$hostname-sh and ~/.keychain/$hostname-csh. For example... [root at webdev1 ~]# cat ~apache/.keychain/`hostname`-sh SSH_AUTH_SOCK=/tmp/ssh-yheGAI4188/agent.4188; export SSH_AUTH_SOCK; SSH_AGENT_PID=4189; export SSH_AGENT_PID; Ingimar suggested these environment variables might not be available to the CGI environment and he was spot on. It appears Agent.pm from Net::SSH::Perl looks for these in the environment and can find them when scripts are run from the shell because they're there (duh me :)). So, setup a password protected keypair and run Keychain from .bash_profile as follows... [root at webdev1 ~]# cat ~apache/.bash_profile keychain --nogui id_dsa --clear [[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh [[ -f $HOME/.keychain/$HOSTNAME-sh-gpg ]] && source $HOME/.keychain/$HOSTNAME-sh-gpg The '--clear' will remove all Keychain information on login (though not perfectly, it could be circumvented with a well-timed CTRL-C) but, critically, leave it available for non-interactive sessions if you login, enter private key passphrase then logout. You'll initially need to "su - apache" once if the box reboots and you need to enter the private key password if you need to 'su' to do anything else as the user, otherwise the ssh-agent information is available to scripts running as that user. For bash, as mentioned I'd just import it with [[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh For the Perl script I needed to add: $ENV{SSH_AGENT_PID}="4189"; $ENV{SSH_AUTH_SOCK}="/tmp/ssh-yheGAI4188/agent.4188"; Obviously, I'll read those in properly from ~/.keychain/$hostname-sh in the final script but as proof of concept... :) Will.