sonia hamilton – life on the digital bikepath – sonia@snowfrog.net

15 November 2007

ssh, ssh-agent, keychain and cron notes

Filed under: Ssh — Sonia @ 20:05

Summary

To setup ssh and keychain to allow ssh related jobs to run from cron:

  • generate keys with a password (ssh-keygen -t dsa) and install keychain. Do only on secure machines ie ones that only you (or a small number of trusted admins) can logon to as root – typically your laptop/desktop and a secure admin server
  • add the following lines to your ~/.profile:
  • some sites say .bash_profile, but I use .profile as I use both bash and zsh (don’t have both as then only .bash_profile will be read)
  • I check keychain is executable with -x as I have the same .profile on all machines (synced via a script)
  • I use rsa keys as I work with older ssh1 machines; dsa keys are preferable.
    export HOSTNAME=`hostname` # HOSTNAME not set some machines
    if [ -x /usr/bin/keychain -a -f $HOME/.keychain/${HOSTNAME}-sh ] ; then
    /usr/bin/keychain $HOME/.ssh/id_rsa
    source $HOME/.keychain/${HOSTNAME}-sh
    fi

  • on machines where others are able to login as root (and hence possibly piggyback onto your private key), keychain should be started with –clear in .profile and ssh-agent shouldn’t be run. Use –nocolor on non-VT100 compat terminals
  • unless ~/.hushlogin exists, keychain will display a colourful message showing known keys being loaded on login:

    • Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL
    * Found existing ssh-agent (11703)
    * Known ssh key: /home/shamilton/.ssh/id_rsa

  • any ssh-using scripts started from crontab on keychain’d machines should include the following lines at the start:

    • source $HOME/.keychain/${HOSTNAME}-sh

[Off Topic] To manually load keys into ssh-agent, typically on admin servers or non-X machines when not using keychain:

  • eval `ssh-agent`
  • ssh-add

[Off Topic] When ssh’ing between multiple machines, ForwardAgent Yes must be set in /etc/ssh/ssh_config. Otherwise add to ~/.ssh/config or startup ssh as ssh -A.

See also:

2 Comments »

  1. I was stuck when trying to use keychain from crontab and here is the solution.
    Thanks friend :)

    Comment by thinlight — 24 December 2007 @ 17:54

    Reply

  2. [...] Source keychain credentials in Perl Filed under: Perl, Ssh — Sonia @ 12:16 I use keychain for securely caching my ssh key credentials when running scripts from cron. [...]

    Pingback by Source keychain credentials in Perl « sonia hamilton – life on the digital bikepath – sonia@snowfrog.net — 9 June 2009 @ 12:16

    Reply

RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.