Keychain/zh-cn

Article description::本文档描述了如何将 SSH 共享密钥与钥匙串程序一起使用. 它假定你具备公钥密码学的基本知识.

Keychain is a frontend to and, allowing long running sessions and letting the user enter passphases just once. It can also be used to allow scripts access to SSH connections.

手头问题
必须在每个系统上输入登录密码很不方便，尤其是在管理多个系统的情况下. 一些管理员甚至可能需要一个脚本或定时任务，或需要一种便捷方法使用 ssh 连接. 无论哪种方式，这个问题都有一个解决方案，它从公钥认证开始.

公钥认证是如何工作的？
假设客户端想要连接到服务器上的 ssh 守护程序. 客户端首先生成一个密钥对并将公钥提供给服务器. 之后，每当客户端尝试连接时，服务器都会发送一个使用该公钥加密的质询. 只有相应私钥的持有者（客户端）才能对其进行解密，正确的响应才能成功通过身份验证.

生成密钥对
第一步是创建密钥对. 为此，请使用 命令：

接受默认值，并确保输入强密码.

生成结束后，私钥应位于 ，公钥应位于. 现在可以将公钥复制到远程主机.

Adding or changing a passphrase for the private key can be done as follows:

准备服务器
The file needs to be copied over to the server running. It has to be added to the file that belongs the connecting user on the remote server. After access to the server has been granted by infrastructure personnel, the following steps can be used to setup automatic login using a public key on the remote server:

是这些步骤的包装脚本. 如果此包装脚本不可用，则使用以下步骤：

最后一行的输出应显示 文件的内容. 确保输出看起来正确.

测试设置
从理论上讲，如果一切顺利，并且服务器上的 守护程序允许（因为可以配置），那么现在应该可以在服务器上访问  而无需输入密码. 客户端上的私钥仍需使用之前的密码解密，但这不应与服务器上用户的密码混淆.

It should have asked for a passphrase for, and then grant access via as the user   on the server. If not, login as, and verify that the contents of  has each entry (which is a public key) on a single line. It is also a good idea to check the sshd configuration to make sure that it allows to use public key authorization when available.

At this point, readers might be thinking, "What's the point, I just replaced one password with another?!" Relax, the next section will show exactly how we can use this to only enter the passphrase once and re-use the (decrypted) key for multiple logins.

使用 ssh-agent 进行典型的密钥管理
下一步是解密私钥一次即可自由获取 ssh 的能力而无需任何密码. 这正是程序 的用途.

is usually started at the beginning of the X session, or from a shell startup script like. It works by creating a UNIX socket, and registering the appropriate environment variables so that all subsequent applications can take advantage of its services by connecting to that socket. Clearly, it only makes sense to start it in the parent process of an X session to use the set of decrypted private keys in all subsequent X applications.

When running, it should output the PID of the running ssh-agent, and also set a few environment variables, namely SSH_AUTH_SOCK and SSH_AGENT_PID. It should also automatically add to its collection and ask the user for the corresponding passphrase. If other private keys exist which need to be added to the running ssh-agent, use the command:

魔法时刻. 准备好解密的私钥后，ssh 进入（配置了公钥）服务器而无需输入任何密码：

为了关闭 ssh-agent（这样需要稍后再次输入密码）：

To get even more convenience from ssh-agent, proceed to the next section on using keychain. Be sure to kill the running ssh-agent as keychain will handle the sessions itself.

Squeezing the last drop of convenience out of ssh-agent
Keychain will allow to reuse an between logins, and optionally prompt for passphrases each time the user logs in. Let's emerge it first:

Assuming that was successful, can now be used.

Add the following to the shell initialization file (,, or similar) to enable it:

Now test it. First make sure the processes from the previous section are killed, then start up a new shell, usually by just logging in, or spawning a new terminal. It should prompt for the password for each key specified on the command line.

All shells opened after that point should reuse the, allowing to use passwordless SSH connections over and over.

在 Plasma 5 中使用钥匙串
对于 Plasma 5 用户，相比使用 ，可以让 Plasma 为他们管理 ssh-agent. 为此，请编辑在 Plasma 启动期间读取的 和在其关闭期间执行的  文件. 以下是编辑这些文件的方法：

Here is how one could edit those files:

现在，要做的就是选择启动一个终端，类似 ，并加载正确的密钥集以供使用. 例如：

The keys will be remembered until the end of the Plasma session (or until the process is killed manually).

Alternatively use KWallet with kde-plasma/ksshaskpass under Plasma 5
You can also have Plasma automatically ask you for your passphrase upon desktop login. Emerge kde-plasma/ksshaskpass, which will set up an environment variable to use the ksshaskpass application whenever ssh-add is run outside of a terminal. Then create a script as follows, and install it via the Plasma -> System Settings -> Startup and Shutdown -> Autostart.

安全注意事项
当然，使用 ssh-agent 可能会使系统略微不安全. 如果其他用户获得了使用活动 Shell 的权利，该用户将可以不使用密码登录到所有服务器. 因此，这是对服务器的风险. 如有必要，使用者应该求助于本地安全策略（若有的话）. 记得采取适当的行动来确保每个会话都足够安全.

故障排除
其中大部分应该工作得很好，但如果确实出现问题，那么以下条目可能会有所帮助.


 * If connecting without does not seem to work, consider using ssh with the   options to find out what's happening. Sometimes the server is not configured to use public key authentication, sometimes it is configured to ask for local passwords anyway! If that is the case, try using the   option with, or change the server's.
 * If connecting with or  does not seem to work, then it may be that the current shell does not understand the commands used. Consult the man pages for ssh-agent and keychain for details on working with other shells.

外部资源

 * The official Keychain project page at Funtoo.org.
 * IBM developerWorks article series introducing the concepts behind Keychain.