[CentOS] keychain problem

Sun Jan 16 05:46:32 UTC 2011
bluethundr <bluethundr at gmail.com>

That's a great clarification for which I cannot thank you enough. I
will look up SSH Agent Forwarding and start getting the hang of it.
The centos list is a tremendous help for situations like these! :)

On Sun, Jan 16, 2011 at 12:22 AM, Cameron Kerr <cameron at humbledown.org> wrote:
>
> On 16/01/2011, at 2:12 PM, bluethundr wrote:
>
>> Hello and thanks for your reply!
>>
>> Well I took your advice and removed that keychain scriptlet from
>> .bashrc and put it into .bash_profile. Not sure what the functional
>> difference between the two would be. Perhaps you would care to
>> elaborate? I know that rc stands for "resource configuration" but
>> other than that I don't know why this statement would be more
>> appropriate in the .bash_profile. However you do seem well versed in
>> this and I hope you don't mind answering this question.
>>
>
> .bash_profile is executed for login shells (followed by .bashrc).
>
> .bashrc is executed for non-login shells as well.
>
> .bash_profile should therefore be used for session setup tasks.
>
>> So this is what I put into my .bash_profile
>>
>> $(keychain --eval --agents ssh id_rsa)
>>
>> and here is an ssh session from after when I did this:
>>
>> [bluethundr at LCENT01:~]#bash
>> [bluethundr at LCENT01:~]#ssh-agent
>> SSH_AUTH_SOCK=/tmp/ssh-cBwwRR5466/agent.5466; export SSH_AUTH_SOCK;
>> SSH_AGENT_PID=5467; export SSH_AGENT_PID;
>
> Here you are not actually starting the ssh-agent in the background (which explains why it is outputting environment variables). You should give it a second parameter to tell it which program to launch.
>
> ssh-agent bash
>
> However, this will cause the parent shell to become redundant, so you want to instead replace it with the shell that ssh-agent starts (that shell has the environment variables set appropriately).
>
> exec ssh-agent bash
>
> Now when you use ssh-add, it should be able to see the agent.
>
>> echo Agent pid 5467;
>> [bluethundr at LCENT01:~]#ssh-add
>> Could not open a connection to your authentication agent.
>> [bluethundr at LCENT01:~]#exec ssh-agent bash
>> [bluethundr at LCENT01:~]#ssh-add
>> Enter passphrase for /home/bluethundr/.ssh/id_rsa:
>> Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa)
>>
>> So this behavior did not change. I still have to enter my passphrase
>> again after I put this into my .bash_profile
>>
>
> Of course. The passphrase is important because it encrypts the private key. This, presumably, is why you are using the 'keychain' program, which is typically used to have a key unlocked manually by a system administrator (eg. after boot), so that cron jobs, etc, can access it.
>
>>
>> [bluethundr at LCENT01:~]#ssh virt1
>> Last login: Sat Jan 15 11:51:08 2011 from 192.168.1.42
>> #########################################################
>> #               SUMMITNJHOME.COM                        #
>> #               TITLE:       LB1 BOX                    #
>> #               HOST:        VIRTCENT01                 #
>> #               LOCATION:    SUMMIT BASEMENT            #
>> #########################################################
>>
>> * keychain 2.7.0 ~ http://www.funtoo.org
>> * Found existing ssh-agent: 27556
>> * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa
>> Enter passphrase for /home/bluethundr/.ssh/id_rsa:
>> Bad passphrase, try again for /home/bluethundr/.ssh/id_rsa:
>> * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa
>>
>> This is new.. now I get prompted for the passphrase AGAIN once I reach
>> the server I am ssh'ing in to.
>
> This is why ssh-add (and presumably also 'keychain'), should NOT be included in your ~/.bash_profile or ~/.bashrc (or similar).
> SSH Agent Forwarding is the correct way to approach this problem: it generally increases system security (keys become easier to manage) and reduces user support requirements.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pgp.mit.edu --recv-keys F186197B