That's a great clarification for which I cannot thank you enough. I will look up SSH Agent Forwarding and start getting the hang of it. The centos list is a tremendous help for situations like these! :) On Sun, Jan 16, 2011 at 12:22 AM, Cameron Kerr <cameron@xxxxxxxxxxxxxx> wrote: > > On 16/01/2011, at 2:12 PM, bluethundr wrote: > >> Hello and thanks for your reply! >> >> Well I took your advice and removed that keychain scriptlet from >> .bashrc and put it into .bash_profile. Not sure what the functional >> difference between the two would be. Perhaps you would care to >> elaborate? I know that rc stands for "resource configuration" but >> other than that I don't know why this statement would be more >> appropriate in the .bash_profile. However you do seem well versed in >> this and I hope you don't mind answering this question. >> > > .bash_profile is executed for login shells (followed by .bashrc). > > .bashrc is executed for non-login shells as well. > > .bash_profile should therefore be used for session setup tasks. > >> So this is what I put into my .bash_profile >> >> $(keychain --eval --agents ssh id_rsa) >> >> and here is an ssh session from after when I did this: >> >> [bluethundr@LCENT01:~]#bash >> [bluethundr@LCENT01:~]#ssh-agent >> SSH_AUTH_SOCK=/tmp/ssh-cBwwRR5466/agent.5466; export SSH_AUTH_SOCK; >> SSH_AGENT_PID=5467; export SSH_AGENT_PID; > > Here you are not actually starting the ssh-agent in the background (which explains why it is outputting environment variables). You should give it a second parameter to tell it which program to launch. > > ssh-agent bash > > However, this will cause the parent shell to become redundant, so you want to instead replace it with the shell that ssh-agent starts (that shell has the environment variables set appropriately). > > exec ssh-agent bash > > Now when you use ssh-add, it should be able to see the agent. > >> echo Agent pid 5467; >> [bluethundr@LCENT01:~]#ssh-add >> Could not open a connection to your authentication agent. >> [bluethundr@LCENT01:~]#exec ssh-agent bash >> [bluethundr@LCENT01:~]#ssh-add >> Enter passphrase for /home/bluethundr/.ssh/id_rsa: >> Identity added: /home/bluethundr/.ssh/id_rsa (/home/bluethundr/.ssh/id_rsa) >> >> So this behavior did not change. I still have to enter my passphrase >> again after I put this into my .bash_profile >> > > Of course. The passphrase is important because it encrypts the private key. This, presumably, is why you are using the 'keychain' program, which is typically used to have a key unlocked manually by a system administrator (eg. after boot), so that cron jobs, etc, can access it. > >> >> [bluethundr@LCENT01:~]#ssh virt1 >> Last login: Sat Jan 15 11:51:08 2011 from 192.168.1.42 >> ######################################################### >> # SUMMITNJHOME.COM # >> # TITLE: LB1 BOX # >> # HOST: VIRTCENT01 # >> # LOCATION: SUMMIT BASEMENT # >> ######################################################### >> >> * keychain 2.7.0 ~ http://www.funtoo.org >> * Found existing ssh-agent: 27556 >> * Adding 1 ssh key(s): /home/bluethundr/.ssh/id_rsa >> Enter passphrase for /home/bluethundr/.ssh/id_rsa: >> Bad passphrase, try again for /home/bluethundr/.ssh/id_rsa: >> * ssh-add: Identities added: /home/bluethundr/.ssh/id_rsa >> >> This is new.. now I get prompted for the passphrase AGAIN once I reach >> the server I am ssh'ing in to. > > This is why ssh-add (and presumably also 'keychain'), should NOT be included in your ~/.bash_profile or ~/.bashrc (or similar). > SSH Agent Forwarding is the correct way to approach this problem: it generally increases system security (keys become easier to manage) and reduces user support requirements. > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos