Stop Entering Your SSH Passphrase All The Time

You use SSH every day. You check out Git repositories, connect to servers and you Rsync a backup of your priceless home directory to remote machines for archiving and syncing. Because you know the importance of security you never use password authentication but an at least 4096 bit long RSA public-private keypair, encrypted by a passphrase only you know.

You are great. But you also waste time and patience, because you always enter the same single passphrase every time your computer wants to use SSH. Is it more secure, if you need to enter it every time? Probably not. The chance of someone figuring out (or keylogging) your passphrase is high enough, but I also heard of people who keep their passphrase in the clipboard for fast entry. Wow.

There is a simple, secure and elegant way to save your passphrase in-memory for your whole working session. Authentication agents like Pageant (Windows) or ssh-agent (OSX / Linux) can safely store your password and provide it to the SSH application when it requests a passphrase for your key.

„No Talk. Just Solution.“

Here is how I use it on my Linux and OSX machines. It requires you to install something called an SSH Agent Frontend - so basically a software that in turn talks to the ssh-agent - but in turn it provides a very elegant solution that manages the ssh agent, gpg agents and works even outside of environment scope (for cron jobs, etc.).

Using the frontend is optional and you can use the plain ssh-agent if you make sure to check for, inherit and run ssh-agent processes when needed. I strongly recommend using Keychain, though.

Installation & Configuration for Linux, OSX with Bash

I assume you already have installed SSH together with an SSH Agent, which is the case on most systems. I also assume that you use the bash or can transfer this article to other shells of your choice.

• Install keychain by Funtoo

  brew install keychain
  yum install keychain
  apt-get install keychain
  pacman -Syu keychain
  

  (Or download and install manually from funtoo.org/Keychain)

• Edit your ~/.bashrc and append the following line:

  eval `keychain --agents ssh --eval id_rsa`
  

  (Where ssh is the agent you want to use and id_rsa is a list of paths to your private key(s))

• Re-open your shell or terminal emulator.

Keychain will ask you to enter your passphrase once and save it to the ssh-agent. You no longer need to enter your passphrase

Use keychain --stop all to stop all agents. The next time you start bash or your terminal emulator (and effectively keychain) you will be asked to unlock your private key with your passphrase again.

Installation & Configuration for Windows

Because Windows has no stable built-in SSH client we use an open-source tool called PuTTY. It comes bundled with an authentication agent called Pageant which works the same way as the OpenSSH SSH agent for Linux and OSX.

• Install PuTTY by Simon Tatham

  choco install putty
  

  (Or download and install manually from putty.org)

• Open it and select Add... to load and unlock your private keys with your passphrases.

• Use PuTTY like you would normally. It automatically detects the running Pageant authentication agent.

See Also

• Manpages ― from linux.die.net
  • ssh-agent
  • ssh-add
  • keychain
• Project pages
  • Keychain by Funtoo ― from funtoo.org
  • PuTTY by Simon Tatham (+Mirror) ― from www.chiark.greenend.org.uk (+putty.org)