ssh-agent: How to set it up so my CentOS server will only ask for passphrase once?

ssh centos password ssh-agent
9,228

Solution 1

You need a keyring or keychain to maintain the ssh-agent auth socket location for you.

On CentOS you can install keychain, see http://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/ for a detail guide on how to setup keychain on CentOS.

Solution 2

It appears that the RPMForge repo that is sourced for keychain in the Cyberciti.biz article is no longer recommended by CentOS. However I was able to install keychain using the GhettoForge repo which is also referenced in the Centos wiki.

First, I copied the URL for the GhettoForge public RPM keys for my version of CentOS( they provide 5, 6, and 7, but I only needed the one for 6 ). Next, I copied the URL for the newest 'gf-release' package from GhettoForge's Usage page. Finally, I ran the following commands from my server to install keychain( keep in mind that your URLs may be different ):

rpm --import http://mirror.symnds.com/distributions/gf/RPM-GPG-KEY-gf.el6
rpm -Uvh http://mirror.symnds.com/distributions/gf/el/6/gf/x86_64/gf-release-6-10.gf.el6.noarch.rpm
yum clean all
yum install keychain

Additional note: It appears that at this time keychain is only available for CentOS 5 and 6 from GhettoForge's repo.

Share:
9,228

Related videos on Youtube

Steven Lu
Author by

Steven Lu

Updated on September 18, 2022

Comments

  • Steven Lu
    Steven Lu almost 2 years

    On my Macbook, my SSH private key is encrypted, but I never have to re-enter the passphrase even if I reboot the machine.

    The system must be unlocking it along with my user account.

    Is it possible to set it up the same way for my user account on a CentOS server? There should be some sort of option that would basically encrypt the privatekey with the user account password (or at least encrypt the passphrase with the user password). I do not want the private key in plaintext on the hard disk, and would prefer not to have to enter many passwords.

    If the answer is no, then I probably will need to enter it once each time the server is booted. That is less good, but since that should be a rare occurrence, that would be tolerable.

  • Steven Lu
    Steven Lu almost 11 years
    Is there a way to get this to restore the passphrases upon server reboot? (it should be able to do this by encrypting the passphrases with the user login)
  • Coyolero
    Coyolero almost 11 years
    @Steven No keychain/keyring program will persist the passwords across reboots, it's not secure. If you are looking for solution to manage your passwords/keys, try LastPass/1Password/etc. and that should never runs on your servers.
  • Steven Lu
    Steven Lu almost 11 years
    I did get it set up and it works nicely. Entering once on reboot is perfectly fine.
  • Steven Lu
    Steven Lu over 9 years
    Now trying to update my scripts for Centos 7, this does not seem so simple. I don't know why I was okay with installing a repository using a http url to begin with. But this whole keychain business is already a bit of a tin-foil-hat contraption to begin with. I am going to use a well-encrypted private key on machines that need it (and type the pass to unlock that key when it is used there), and generate unencrypted private keys on other general purpose environments. Don't need to have any more impediments than there already are...
  • Steven Lu
    Steven Lu over 7 years
    I use centos 7 now. I also gave up and use unencrypted privkeys. ¯\_(ツ)_/¯ So far ssh agent forwarding keeps stuff simple.
  • FCTW
    FCTW over 7 years
    @StevenLu Thanks for the update, and suggestions! It's probably a good idea no to use unencrypted private keys.
  • Steven Lu
    Steven Lu over 7 years
    Yes... I think maybe I didn't mean what I wrote... I have generally been successful in setting up ssh agent forwarding on my servers. This means that I can avoid setting up ssh keys (encrypted or otherwise) on my servers themselves, and simply distribute the public keys of my trusted device ssh keys (which are always encrypted private keys), and the ssh key forwarding makes everything just work. It would cease to work when the server runs scripts that involve ssh credentials (such as fetching private git repos), however.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to avoid typing ssh-add everytime
Forgot the password for an encrypted SSH key that's in my (gnome) SSH agent. How do I extract unencrypted version?
Remote shell script Enter passphrase for
CentOS 7 Minimal Installation on Hyper-V: X11 forwarding using Xming and PuTTy error, xhost: unable to open display ":0.0"
CentOS 6.3. SSH. Bind to port xxx on 0.0.0.0 failed: Permission denied
SSH: Permission denied, please try again. While tryng to connect to remote 12.04 server
ssh-add -l Error connecting to agent: Connection refused
SSH Permission denied (using right password)
SSH password entered too many times Connection refused
how to use ssh agent forwarding