分类: BSD
2007-12-28 03:17:21
Keychain
-----> what
The keychain bash script makes handling RSA and DSA keys both convenient and secure. It acts as a front-end to ssh-agent, allowing you to easily have one long-running ssh-agent process per system, rather than per login session. This dramatically reduces the number of times you need to enter your passphrase from once per new login session to once every time your local machine is rebooted.
~/.bash_profile `keychain starts up`
*http://www-106.ibm.com/developerworks/library/l-keyc.html
http://www-106.ibm.com/developerworks/linux/library/l-keyc2/
http://www-106.ibm.com/developerworks/linux/library/l-keyc3/
http://www-900.ibm.com/developerWorks/cn/linux/security/openssh/part1/index.shtml
*http://www-900.ibm.com/developerWorks/cn/linux/security/openssh/part1/index_eng.shtml
http://www-900.ibm.com/developerWorks/cn/linux/security/openssh/part2/index.shtml
http://www-900.ibm.com/developerWorks/cn/linux/security/openssh/part2/index_eng.shtml
-----> Download and install
Gentoo Linux
To install keychain on Gentoo, just type emerge keychain as root. Then as a user, keychain --help for setup instructions.
http://dev.gentoo.org/~rajiv/keychain/keychain-2.0.2-1.noarch.rpm
http://dev.gentoo.org/~rajiv/keychain/keychain-2.0.2-1.src.rpm
http://dev.gentoo.org/~rajiv/keychain/keychain-2.0.2-1.spec
1183410bac4a747cd9ae483a1f24b7c5 keychain-2.0.3.tar.bz2
5c26f5dce97818cacb4e183c2ea90f30 keychain-2.0.2-1.noarch.rpm
gpg --keyserver pgp.mit.edu --recv-key 302A3876 // Installs the public key used to sign the RPM.
rpm -K keychain-2.0.2-1.noarch.rpm // Both md5 and gpg should be "OK".
rpm -Uvh keychain-2.0.2-1.noarch.rpm // Installs the RPM.
Note: If your firewall blocks gpg connections to the keyserver, you can install the GPG key manually by running
wget -O - http://dev.gentoo.org/~rajiv/rajivmanglani-pubkey.asc | gpg --import
% l keychain-2.0.2-1.noarch.rpm
-rw-r--r-- 1 root root 12894 Mar 12 2003 keychain-2.0.2-1.noarch.rpm
% gpg --keyserver pgp.mit.edu --recv-key 302A3876
gpg: WARNING: --honor-http-proxy is a deprecated option.
gpg: please use "--keyserver-options honor-http-proxy" instead
gpg: requesting key 302A3876 from HKP keyserver pgp.mit.edu
gpg: key 302A3876: public key imported
gpg: Total number processed: 1
gpg: imported: 1
% rpm -K keychain-2.0.2-1.noarch.rpm
keychain-2.0.2-1.noarch.rpm: md5 gpg OK
% rpm -qipl keychain-2.0.2-1.noarch.rpm
Name : keychain Relocations: /usr/bin
Version : 2.0.2 Vendor: Gentoo Technologies, Inc.
Release : 1 Build Date: Thu 06 Mar 2003 04:21:33 PM CST
Install date: (not installed) Build Host: cvs.gentoo.org
Group : Applications/Internet Source RPM: keychain-2.0.2-1.src.rpm
Size : 26134 License: GPL v2
Packager : Rajiv Manglani
URL :
Summary : Keychain is a key management application for OpenSSH and commercial SSH2-compatible RSA/DSA keys.
Description :
Keychain is an extremely handy OpenSSH and commercial SSH2-compatible RSA/DSA
key management application. It acts as a front-end to ssh-agent, allowing you
to easily have one long-running ssh-agent process per system, rather than per
login session. This dramatically reduces the number of times you need to enter
your passphrase from once per new login session to once every time your local
machine is rebooted.
/usr/bin/keychain
/usr/share/doc/keychain-2.0.2
/usr/share/doc/keychain-2.0.2/ChangeLog
/usr/share/doc/keychain-2.0.2/README
% file /usr/bin/keychain
/usr/bin/keychain: Bourne shell script text executable
%
% keychain --help
Usage: /usr/bin/keychain [ options ] sshkey ...
Description:
Keychain is an OpenSSH key manager, typically run from ~/.bash_profile. When
run, it will make sure ssh-agent is running; if not, it will start ssh-agent.
It will redirect ssh-agent's output to ~/.keychain/[hostname]-sh, so that cron
jobs that need to use ssh-agent keys can simply source this file and make the
necessary passwordless ssh connections. In addition, when keychain runs, it
will check with ssh-agent and make sure that the ssh RSA/DSA keys that you
specified on the keychain command line have actually been added to ssh-agent.
If not, you are prompted for the appropriate passphrases so that they can be
added by keychain.
Typically, one uses keychain by adding the following to the top of their
~/.bash_profile (or ~/.zlogin, in case of zsh):
keychain ~/.ssh/id_rsa ~/.ssh/id_dsa
. ~/.keychain/${HOSTNAME}-sh
# alt. syntax: . ~/.keychain/`uname -n`-sh
# note the use of back-quotes (`) rather than single-quotes (') above.
# We now include the hostname (`uname -n`) in the keychain filename
# for NFS-compatibility.
You can make keychain work with your csh-compatible shell by adding the
following to your .cshrc:
keychain ~/.ssh/id_rsa ~/.ssh/id_dsa
source ~/.keychain/${HOSTNAME}-csh
Keychain allows all your apps and cron jobs to use a single ssh-agent process
as an authentication agent. By default, the ssh-agent started by keychain is
long-running and will continue to run, even after you have logged out from the
system. If you'd like to tighten up security a bit, take a look at the
--clear option, described below.
Options:
--clear
Tells keychain to delete all of ssh-agent's host keys. Typically, This is
used in the ~/.bash_profile. The theory behind this is that keychain should
assume that you are an intruder until proven otherwise. However, while this
option increases security, it still allows your cron jobs to use your ssh keys
when you're logged out.
--dir [directoryname]
Keychain will look in [directoryname] for the .keychain file, rather than your
home directory.
--noask
This option tells keychain do everything it normally does (ensure ssh-agent is
running, set up the ~/.keychain/[hostname]-{c}sh files) except that it will not
prompt you to add any of the keys you specified if they haven't yet been added
to ssh-agent.
--nocolor
This option disables color highlighting for non vt-100-compatible terms.
--stop | -k
This option tells keychain to stop all running ssh-agent processes, and then
exit.
--quiet | -q
This option tells keychain to turn off verbose mode and only print error
messages and interactive messages. This is useful for login scripts etc