Blog

03/06/2019

How to install keychain manager for ssh-agent on CentOS 6/7



OpenSSH offers RSA and DSA authentication to remote systems without supplying a password. keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. How do I install keychain on a CentOS Linux 6.x or 7.x?

keychain is a manager for ssh-agent, typically run from ~/.bash_profile file on a CentOS Linux. It allows your shells and cron jobs to easily share a single ssh-agent process. By default, the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system. If you want to change this behavior, pass the --clear and --timeout options, described below.

This page shows how to install Keychain manager on a CentOS Linux version 6.x or 7.x using the yum command.

Step 1 – Enable psychotic repo

Type the following rpm command to import gpg key:
$ sudo rpm --import http://wiki.psychotic.ninja/RPM-GPG-KEY-psychotic
Install repository configuration by typing the following command:
$ sudo rpm -ivh http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm
Sample outputs:

Retrieving http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm
Preparing...                                                            (100%################################# [100%]
Updating / installing...
   1:psychotic-release-1.0.0-1.el6.psy                                  (  2%################################# [100%]

Retrieving http://packages.psychotic.ninja/6/base/i386/RPMS/psychotic-release-1.0.0-1.el6.psychotic.noarch.rpm Preparing… (100%################################# [100%] Updating / installing… 1:psychotic-release-1.0.0-1.el6.psy ( 2%################################# [100%]

Step 2 – Install keychain

Type the following yum command to install keychain:
$ sudo yum --enablerepo=psychotic install keychain
Sample outputs:

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos-hn.viettelidc.com.vn
 * epel: ftp.cuhk.edu.hk
 * extras: mirrors.vinahost.vn
 * updates: centos.excellmedia.net
Resolving Dependencies
--> Running transaction check
---> Package keychain.noarch 0:2.8.0-3.el7.psychotic will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
======================================================================
 Package     Arch      Version                     Repository    Size
======================================================================
Installing:
 keychain    noarch    2.8.0-3.el7.psychotic       psychotic     44 k
 
Transaction Summary
======================================================================
Install  1 Package
 
Total download size: 44 k
Installed size: 97 k
Is this ok [y/d/N]: y
Downloading packages:
keychain-2.8.0-3.el7.psychotic.noarch.rpm        |  44 kB   00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : keychain-2.8.0-3.el7.psychotic.noarch              1/1 
  Verifying  : keychain-2.8.0-3.el7.psychotic.noarch              1/1 
 
Installed:
  keychain.noarch 0:2.8.0-3.el7.psychotic                             
 
Complete!

Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos-hn.viettelidc.com.vn * epel: ftp.cuhk.edu.hk * extras: mirrors.vinahost.vn * updates: centos.excellmedia.net Resolving Dependencies –> Running transaction check —> Package keychain.noarch 0:2.8.0-3.el7.psychotic will be installed –> Finished Dependency Resolution Dependencies Resolved ====================================================================== Package Arch Version Repository Size ====================================================================== Installing: keychain noarch 2.8.0-3.el7.psychotic psychotic 44 k Transaction Summary ====================================================================== Install 1 Package Total download size: 44 k Installed size: 97 k Is this ok [y/d/N]: y Downloading packages: keychain-2.8.0-3.el7.psychotic.noarch.rpm | 44 kB 00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : keychain-2.8.0-3.el7.psychotic.noarch 1/1 Verifying : keychain-2.8.0-3.el7.psychotic.noarch 1/1 Installed: keychain.noarch 0:2.8.0-3.el7.psychotic Complete!

Step 3 – Setup SSH keys with passphrase

You need to setup SSH keys with passphrase. The syntax is:
$ ssh-keygen -t rsa
Assign the pass phrase when prompted. See the following step-by-step guide for detailed information:

Step 4 – Update your ~/.bash_profile

Once OpenSSH keys are configured with a pass phrase, update your $HOME/.bash_profile file which is your personal initialization file, executed for login BASH shells using a text editor such as vi command/nano command/vim command:
$ vi $HOME/.bash_profile
Append the following:

/usr/bin/keychain $HOME/.ssh/id_dsa
source $HOME/.keychain/$HOSTNAME-sh

/usr/bin/keychain $HOME/.ssh/id_dsa source $HOME/.keychain/$HOSTNAME-sh

OR use the eval command as follows in your ~/.bash_profile:
eval $(/usr/bin/keychain --eval --agents ssh id_rsa)
Save and close the file.

Step 4 – Test it

Use the ssh command to login as follows from your desktop/laptop/other servers:
$ ssh root@centos-7-server
$ ssh vivek@centos-7-server-ip-here

Sample outputs:

Step 5 – What next?

keyhcain is up and running on your CentOS 6.x/7.x box. Now, all you have to do is append your servers key file $HOME/.ssh/id_rsa.pub to other UNIX / Linux / BSD / macOS boxes:
## [ copy file to my MacbookPRO macOS and x230 Ubuntu Linux laptop ] ##
# ssh-copy-id -i ~/.ssh/id_rsa.pub vivek@macbookpro
# ssh-copy-id -i ~/.ssh/id_rsa.pub vivek@x230

Sample outputs:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'x230 (192.168.2.21)' can't be established.
ECDSA key fingerprint is SHA256:gz7S2ecz/V4kMkVVH4LZOCyA2J17luVfEUS1uxiHVsg.
ECDSA key fingerprint is MD5:5d:78:32:df:ac:fe:4f:33:4e:02:93:da:99:d4:4b:b5.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vivek@x230's password: 
 
Number of key(s) added: 1
 
Now try logging into the machine, with:   "ssh 'vivek@x230'"
and check to make sure that only the key(s) you wanted were added.

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host ‘x230 (192.168.2.21)’ can’t be established. ECDSA key fingerprint is SHA256:gz7S2ecz/V4kMkVVH4LZOCyA2J17luVfEUS1uxiHVsg. ECDSA key fingerprint is MD5:5d:78:32:df:ac:fe:4f:33:4e:02:93:da:99:d4:4b:b5. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys vivek@x230’s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh ‘vivek@x230’" and check to make sure that only the key(s) you wanted were added.

How do I delete all of ssh-agent’s keys?

The syntax is:
keychain --clear
Typically this is used in .bash_profile. The theory behind this is that keychain should assume that you are an intruder until proven otherwise. However, while this option increases security, it still allows your cron jobs to use your ssh keys when you’re logged out. For example, the following grep command shows backup server entry:
$ grep 'keychain' $HOME/.bash_profile
/usr/bin/keychain --clear $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

How do I set a timeout in minutes on my keys?

The syntax is:
keychain --timeout minutes
/usr/bin/keychain --timeout 30 $HOME/.ssh/id_rsa
source $HOME/.keychain/$HOSTNAME-sh

This is conveyed to ssh-agent which does the actual timing out of keys since keychain doesn’t run continuously. For more info see the following resources:

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

20/08/2019

Start your Bitcoin Exchange with our Software

Start your Bitcoin Exchange with our Software Setup your white label bitcoin exchange right away. Or create your own cryptocurrency using...
14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....