Home / ubuntu / Questions / 138892
Accepted
pl1nk
Asked: 2012-05-19 04:08:02 +0800 CST

How can I permanently save a password-protected SSH key?

  • 772

I am using Awesome Window Manager

How can I permanently add private keys with password?

Inspired by the answer here I have added the private keys in ~/.ssh/config

Contents of ~/.ssh/config:

IdentityFile 'private key full path'

Permissions of ~/.ssh/config: 0700

But it doesn't work for me.

If I manually add the key in every session, it works but I'm looking for a more elegant way (not in .bashrc)

EDIT:

  • Using Gnome classic (no effects) version.

After adding the SSH key with ssh-copy-if to the remote host, I get the following prompt in terminal (GNOME Terminal 3.0.1) when I'm logging in:

ssh -i .ssh/Password-Protected-Key user@host
Enter passphrase for key '.ssh/Password-Protected-Key':
  • Using Awesome window manager v3.4.10. I had already gnome-keyring-dameon so I killed the other pid and run gnome-keyring-daemon --start | grep SOCK (I also added it in .profile) the (grep) output:

SSH_AUTH_SOCK=/tmp/keyring-2LXXXX/ssh

I followed the exact same steps and likewise I haven't got any GUI ssh-add dialog.

EDIT 2:

I created a new password protected key from Ubuntu 11.10 virtual machine on unity and I still can't get any password prompt.

EDIT 3: It seems that this cannot work in Awesome window manager :( and possibly other..

ssh unity awesome gnome-classic

5 Answers

  1. Making a password-protected SSH key persist across sessions and reboots

    This is probably what you want: entering the key passphrase once makes it available for ever whenever you're logged in. It will work for most users who are using the Unity or Gnome desktops.

    • When you connect after adding the public key to the remote server, you'll get the GUI ssh-add dialog:

      enter image description here

    • Expand the "Details" by clicking on the triangle, and you'll get the below. The default is "lock keyring when I log out", which requires you to enter the password once per session:

      enter image description here

    • Change it to Automatically unlock...whenever I'm logged in, which means it will work whenever you have logged in to your session -- it's "controlled" by your user password. It will persist across reboots.

      enter image description here

    • Enter the key passphrase once and that's it - the key is authenticated via the initial successful login to your desktop environment.

    If you are using AwesomeWM

    Tested with a fresh install of AwesomeWM in a fresh userid

    • By default, AwesomeWM uses ssh-agent:

      $ export | grep SSH
declare -x SSH_AGENT_PID="5479"
declare -x SSH_AUTH_SOCK="/tmp/ssh-fWCKNnPq5440/agent.5440"

    • To get the above steps to work, you must use gnome-keyring-daemon as the SSH authentication daemon, not ssh-agent. When you login using lightdm, PAM starts gnome-keyring-daemon that will try to unlock a login key with your unlock password, but you must add to you configuration to keep it running and use it.

    • Add the following to the end of your ~/.xprofile:

        #!/bin/bash
  eval $(gnome-keyring-daemon --start)
  export SSH_AUTH_SOCK
  export GNOME_KEYRING_PID
  export GNOME_KEYRING_CONTROL

    The commands in the ~/.xprofile file will be executed by xsession before starting the awesome window manager and will tie it to the gnome-keyring-daemon --login process started by PAM through the above environment variables.

    • Logout back to lightdm and log back in, and now when you do ssh user@host, you should get the above popups -- use those to decode your private keys in ~/.ssh/ and save your private keys to the gnome-keyring login keyring.

    The general solution for any window manager/desktop environment

    • is to use gnome-keyring-daemon instead of ssh-agent. For this, you need to be running gnome-keyring-daemon and have it initialized and either do this after ssh-agent is started or not start ssh-agent at all.

    • ssh (actually ssh-add) decides which authentication agent to call based on the value of the SSH_AUTH_SOCK environment variable, which can be checked by typing export | grep SOCK

    • this is of the form SSH_AUTH_SOCK=/tmp/ssh-MMFyVlI22130/agent.22130 for ssh-agent (NOT what you want to be able to save your key)

    • but of the form SSH_AUTH_SOCK="/tmp/keyring-mEQB5g/ssh" for gnome-keyring-daemon (which you want)

    • so check the value, and check with ps aux | grep keyring that gnome-keyring-daemon is running, and if so, initialize it with the results of gnome-keyring-daemon --start

    • you can then check the associated saved identities in the console by typing ssh-add -l -- if it shows "no agent" then you made a mistake configuring gnome-keyring-daemon.

    • 19

  2. The solution to your problem is using the ssh agent. You just have to unlock the password of your key once, after that it's retained in memory by the agent and used automatically

    • Generate a private/public key pair with ssh-keygen -t dsa
    • Copy the public key to the remote machine, usually this is ~/.ssh/authorized_keys (use ssh-copy-id for this)
    • Run ssh-add before login in to the remote system, this will ask for your passphrase and store it
    • Login to the remote system, no password necessary

    ssh-agent is described well on the .net, for example here:

    Another advantage of ssh-agent is that if you login to the remote system with ssh -A [email protected] you can further ssh from the domain.name computer to a third computer containing your public key without every copying you private key to the domain.name computer (and it never sees your private key, only the one-time challenge/response).

    • 2
  3. Best Answer

    If you are using Unity, or a session manager that starts gnome-keyring-daemon, you can simply use Seahorse (Passwords and Keys) to establish a key, define what it is for, set a passphrase, and distribute its public key to the computer you are going to use with ssh. No terminal commands are necessary.

    You create the password by:

    1. selecting File->New and select Secure Shell Key. Press Continue.

    2. Type in a descriptive name, and select Create and set up.

    3. You will be prompted to enter a keyphrase twice (the second time to check that you didn't mis-enter it the first time.

    4. Enter the computer to which the public key should be used and the user name on that computer for which you will be using the key. The public key will be copied to that other computer, prompting for your password on that computer if necessary.

    Now the My Personal Keys tab will display the key.

    Assuming gnome-keyring-daemon was started properly when you logged into Lightdm, and again by your session manager, when you first use the key with ssh you will be prompted for the keyphrase. In this dialog box you can provide the keyphrase, select the Details control and ask that the keyring be unlocked whenever you are logged in--automatically providing this key. Press OK

    You may not be prompted in this way if there is another key available for logging into the remote computer.

    After this has been accomplished the first Seahorse tab Passwords will list an "Unlock password entry" for the key name. Click on the triangle before "Passwords: Login" to see it.

    • 2

  4. you can use

    ssh-add 'filename or fullpath'

    you will be asked for the passphrase if yout key have one

    then you can connect with out password

    • -1

  5. If you want to work with private keys do:

    ssh-keygen -t rsa -N ''

    Then:

    copy .ssh/id_rsa.pub to machine destination in .ssh/authorized_keys via scp

    scp .ssh/id_rsa.pub user@remote_machine:~/.ssh/authorized_keys

    All done.

    Connect to remote machine without password:

    ssh user@remote_machine

    And we don't have password prompt.

    • -2