LinuxCommandLibrary

keychain

Manage SSH keys conveniently and securely

TLDR

Check for a running ssh-agent, and start one if needed

$ keychain
copy

Also check for gpg-agent
$ keychain --agents "[gpg,ssh]"
copy

List signatures of all active keys
$ keychain --list
copy

List fingerprints of all active keys
$ keychain --list-fp
copy

Add a timeout for identities added to the agent, in minutes
$ keychain --timeout [minutes]
copy

SYNOPSIS

keychain [options] [id_rsa id_dsa ...]

PARAMETERS

--agents ssh,gpg,kssh
    Specify which agents to manage. Default is 'ssh'.

--confdir DIRECTORY
    Specify a directory to store keychain configuration files. Defaults to $HOME/.keychain.

--eval
    Output shell commands to set environment variables for ssh-agent. Useful for manual integration.

--help
    Display help information.

--nogpg
    Do not manage the gpg-agent.

--noksh
    Do not manage the kssh-agent.

--noauto
    Do not automatically add keys. The user will need to do this manually by calling 'ssh-add'.

--quiet
    Suppress informational messages.

id_rsa id_dsa ...
    List of private key files to add to ssh-agent.

DESCRIPTION

keychain is a shell script designed to simplify SSH key management, particularly in environments where users frequently log in and out. It acts as a front-end to ssh-agent and ssh-add, storing your SSH keys in memory and making them available across multiple login sessions. This avoids the need to repeatedly enter your passphrase each time you need to use your SSH keys, for example, when connecting to remote servers or accessing Git repositories. keychain automatically starts ssh-agent if it's not already running and adds the specified keys to the agent. It also updates your shell environment variables to point to the active ssh-agent, making it readily accessible. A crucial benefit is its integration with login scripts (.bashrc, .zshrc, etc.), allowing you to load keys at login and have them available without manual intervention. Furthermore, keychain handles multiple users and shells, ensuring that each user has their own independent ssh-agent instance and associated keys.

CAVEATS

Keychain stores your passphrase in memory via ssh-agent. While more convenient, this means that anyone with access to your user account can potentially use your SSH keys.
It is important to secure your computer accordingly.
Keychain might require adjustments to your shell configuration files to function correctly.

CONFIGURATION

Keychain uses configuration files stored in ~/.keychain (or the directory specified by --confdir) to persist settings between sessions. These files contain the environment variables needed to connect to the active ssh-agent.

USAGE IN LOGIN SCRIPTS

To automatically start keychain and add keys at login, add the following line to your .bashrc, .zshrc, or equivalent shell configuration file:
eval `keychain --eval id_rsa`
Replace id_rsa with the names of your private key files.

HISTORY

Keychain was developed to address the need for persistent SSH key management across multiple login sessions. It evolved as a shell script wrapper around ssh-agent and ssh-add, streamlining the process of managing SSH keys and minimizing the need for repeated passphrase entry. It has become a popular tool for simplifying SSH key management on Linux and other Unix-like systems.

SEE ALSO

ssh-agent(1), ssh-add(1), gpg-agent(1)

Copied to clipboard