How to Manage Multiple SSH keys on Fedora KDE?

Passwords are cumbersome to remember and annoying if you have to remember and present several of them several times per session. I started using SSH keys in order to remove the need of regularly entering password whenever I push updates to my github repository or make changes on my server.

This guide assumes that you are using Fedora's KDE flavor. If you are not then you better be. In order to be verbose I have following ssh packages installed on my system.

rpm -qa | grep ssh
fuse-sshfs-2.4-5.fc20.x86_64
ksshaskpass-0.5.3-6.fc20.x86_64
openssh-6.4p1-4.fc20.x86_64
openssh-clients-6.4p1-4.fc20.x86_64
libssh-0.6.3-1.fc20.x86_64
libssh2-1.4.3-9.fc20.x86_64
openssh-server-6.4p1-4.fc20.x86_64

We will be using several pieces of technology and their short definition are as follows.

ssh – You probably know this but according to man pages it is an OpenSSH SSH client.

ssh-agent – It is the program that runs in background and manages your multiple keys.

ssh-add – This small utility basically unlocks your ssh keys and adds it to ssh-agent.

ksshaskpass – This KDE program will provide a password prompt, through pinentry-qt, in your KDE environment.

That out of the way, it is important that you make sure ssh-agent is auto-started and running on your system. If ssh-agent is running the following command will return a process ID.

echo $SSH_AGENT_PID

You also need to make sure that ksshaskpass is set to ask for passphrase of your ssh keys. The assumption is that it already is. You could run following command to make sure of that.

echo $SSH_ASKPASS

How to generate keys? There are a few strategies that you could employ to have a sane ~/.ssh folder. Mine is to just add the server name to the key file.

ssh-keygen -t rsa -b 4096 -C "example@example.com" -f ~/.ssh/ssh_test_key

ssh-keygen will generate a key of type rsa and save it to file ~/.ssh/test_ssh_keys_# with your email id as a comment. You could have a long list of keys that can be easily identified as github_id_rsa.pub or bitbucket_id_rsa.pub, etc.

You could start using them right away by adding them to ssh-agent by following command.

ssh-add ~/.ssh/test_ssh_key_1

It will ask for your password and then any command you type in your terminal will be executed by your server without login password prompt.

We want to have access to our keys all the time during a session and in all terminal sessions. So we need a script to do that. A little note here is if your read SSH’s documentation $SSH_ASKPASS is only triggered if $SSH_ASKPASS is set and you are not in a terminal session. The easiest way to save your passwords in kwallet so that you are not asked them ever again is by running ssh-add command through KRunner as follows.

ssh-add ~/.ssh/test_ssh_key_1
ssh-add ~/.ssh/test_ssh_key_2
ssh-add ~/.ssh/test_ssh_key_3

You will be asked to enter password for each key. Make sure to check remember password and all your password will be saved in your encrypted kwallet.

Now we need a script to automate aforementioned commands which you will save as ~/.kde/Autostart/ksshaskpass.

#!/bin/sh
export SSH_ASKPASS=/usr/bin/ksshaskpass
ssh-add ~/.ssh/test_ssh_key_1 </dev/null
ssh-add ~/.ssh/test_ssh_key_2 </dev/null
ssh-add ~/.ssh/test_ssh_key_3 </dev/null

These commands will will be executed at the beginning of each session for which passwords are already saved in kwallet and /dev/null is used to suppress any warnings.

Also make sure to correct file permission of the auto-start script.

chmod 755 ~/.kde/Autostart/ksshaskpass

You log-out and log-in and you have access to all your keys without entering a single password.

You can easily check which keys are unlocked by and being maintained by ssh-agent by running following command.

ssh-add -l

Update:- It is a good idea to chmod ~/.ssh folder, key files, config, and authorized_keys on server.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/config ~/.ssh/authorized_keys ~/.ssh/test_ssh_key_1