bash - Skip keychain without skipping the rest of .profile

07
2014-07
  • Kal

    I am using the keychain ssh-agent wrapper from funtoo.org.

    I have it loaded automatically by adding an eval line in my .profile. E.g.:

    eval `keychain --eval id_rsa github bitbucket`

    Sometimes, I log into the login shell for the first time (e.g. after a reboot) and don't want to be bothered with typing the passphrases to add the keys to ssh-agent right away because I'm lazy and I know I won't be using SSH during that session.

    If I press Ctrl-C, keychain and the whole rest of the .profile is skipped.

    Is there a built-in way to skip keychain without skipping the rest of .profile?

    My shell is Bash, by the way.

    • Answers
  • Cyrus

    Insert this line in your .profile before your eval ... line. 

    trap "echo -e '\nkeychain skipped'" SIGINT

    You can still skip your eval ... with Ctrl+C. trap catch your Ctrl+C, show some text and then continue in your .profile.


    • Related Question

    osx - How to use Mac OS X Keychain with SSH keys?
  • John Topley

    I understand that since Mac OS X Leopard the Keychain has supported storing SSH keys. Could someone please explain how this feature is supposed to work.

    I have some RSA keys that I've generated stored in my ~/.ssh directory for accessing various servers. I don't have passphrases set on those keys. Currently in order to log in to those servers I use the following commands in the Terminal:

    eval `ssh-agent`
ssh-add ~/.ssh/some_key_rsa
ssh user@server

    (I've written some Bash functions to make this easier.)

    Is there a better way to do this using the Keychain?


    • Related Answers
  • Rudedog

    For it to work, the $SSH_AUTH_SOCK environment variable should be pointed to /tmp/launch-xxxxxx/Listeners. This is supposed to be done automatically when you log in. The listener on that socket speaks the ssh-agent protocol.

    Your bash scripts are starting your own ssh agent (spelled ssh-agent, not ssh_agent) and overriding the existing ssh-agent that is set up for you at login.

    Also, the whole point of the keychain is to store the passwords to your ssh keys, but you say that you don't have passphrases set on those keys, so I'm not sure what you are expecting out of the keychain integration.

    Finally, when you first log in, you probably won't see a ssh-agent process. That process will be started automatically by launch services the first time something tries to read that socket in /tmp.

  • 8088

    As of the Leopard release of OS X, ssh-agent is more tightly integrated with Keychain. It is possible to store the passphrases of all of your SSH keys securely in Keychain, from which ssh-agent will read them on startup. The bottom line is that it is simple to secure your keys with passphrases, but never have to type the passphrase to use them! Here is how:

    Add the pass phrase to each ssh key to keychain:

    ssh-add -K [path/to/private SSH key]

    Whenever you reboot your Mac, all the SSH keys in your keychain will be automatically loaded. You should be able to see the keys in the Keychain Access app, as well as from the command line via:

    ssh-add -l
  • simonair

    The answer by Jeff McCarrell is correct, except that the command to add the pass phrase contains an en dash instead of a hyphen, i.e. –K instead of -K, causing a message to the effect of –K: No such file or directory. It should read:

    ssh-add -K [path/to/private SSH key]
  • Olly

    I suspect you aren't using the default ssh command. Do you have ssh installed via ports? Try which ssh to see which ssh command you are using.

    Usually it should display a dialog box asking for you password, if it isn't already stored in you keychain.

  • orkoden

    I had a similar problem while trying to login using a client ssh cert. In this specific case it was for accessing a git repository. This was the situation:

    • Key was saved in ~/.ssh/
    • The private key has a passphrase.
    • The passphrase is stored in the OS X login keychain. ~/Library/Keychains/login.keychain
    • The connection was as follows: my mac -> remote mac -> git/ssh server
    • Mac OS X 10.8.5

    When I connected to remote mac using remote desktop, I didn't have a problem. However when connecting with SSH to the remote mac, I was asked for the ssh passphrase every time. The following steps solved it for me.

    1. security unlock-keychain The passphrase is stored in the login keychain. This unlocks it and enables ssh-agent to access it.
    2. eval `ssh-agent -s` Starts ssh-agent for shell use. It will get the passphrase from the keychain and use it to unlock the private ssh key.
    3. Establish the ssh/git connection and do my work.
    4. eval `ssh-agent -k` Kill the running ssh-agent.
    5. security lock-keychain Lock the keychain again.
  • xaphod

    See also:

    security import priv_key.p12 -k ~/Library/Keychains/login.keychain
security import pub_key.pem -k ~/Library/Keychains/login.keychain

    ... adding this note as more detail was requested: the "security" command is capable of importing keys (and other things) directly into Keychains. The nice thing is that unlike ssh-add, you are able to specify the keychain. This makes it possible to import directly into the system Keychain ("man security" to learn how)