How can I permanently save a password-protected SSH key?

Making a password-protected SSH key persist across sessions and reboots

This is probably what you want: entering the key passphrase once makes it available for ever whenever you're logged in. It will work for most users who are using the Unity or Gnome desktops.

• When you connect after adding the public key to the remote server, you'll get the GUI ssh-add dialog:

  

• Expand the "Details" by clicking on the triangle, and you'll get the below. The default is "lock keyring when I log out", which requires you to enter the password once per session:

  

• Change it to Automatically unlock...whenever I'm logged in, which means it will work whenever you have logged in to your session -- it's "controlled" by your user password. It will persist across reboots.

  

• Enter the key passphrase once and that's it - the key is authenticated via the initial successful login to your desktop environment.

If you are using AwesomeWM

Tested with a fresh install of AwesomeWM in a fresh userid

• By default, AwesomeWM uses ssh-agent:

  $ export | grep SSH
  declare -x SSH_AGENT_PID="5479"
  declare -x SSH_AUTH_SOCK="/tmp/ssh-fWCKNnPq5440/agent.5440"
  

• To get the above steps to work, you must use gnome-keyring-daemon as the SSH authentication daemon, not ssh-agent. When you login using lightdm, PAM starts gnome-keyring-daemon that will try to unlock a login key with your unlock password, but you must add to you configuration to keep it running and use it.

• Add the following to the end of your ~/.xprofile:

    #!/bin/bash
    eval $(gnome-keyring-daemon --start)
    export SSH_AUTH_SOCK
    export GNOME_KEYRING_PID
    export GNOME_KEYRING_CONTROL
  

The commands in the ~/.xprofile file will be executed by xsession before starting the awesome window manager and will tie it to the gnome-keyring-daemon --login process started by PAM through the above environment variables.

• Logout back to lightdm and log back in, and now when you do ssh user@host, you should get the above popups -- use those to decode your private keys in ~/.ssh/ and save your private keys to the gnome-keyring login keyring.

The general solution for any window manager/desktop environment

• is to use gnome-keyring-daemon instead of ssh-agent. For this, you need to be running gnome-keyring-daemon and have it initialized and either do this after ssh-agent is started or not start ssh-agent at all.

• ssh (actually ssh-add) decides which authentication agent to call based on the value of the SSH_AUTH_SOCK environment variable, which can be checked by typing export | grep SOCK

• this is of the form SSH_AUTH_SOCK=/tmp/ssh-MMFyVlI22130/agent.22130 for ssh-agent (NOT what you want to be able to save your key)

• but of the form SSH_AUTH_SOCK="/tmp/keyring-mEQB5g/ssh" for gnome-keyring-daemon (which you want)

• so check the value, and check with ps aux | grep keyring that gnome-keyring-daemon is running, and if so, initialize it with the results of gnome-keyring-daemon --start

• you can then check the associated saved identities in the console by typing ssh-add -l -- if it shows "no agent" then you made a mistake configuring gnome-keyring-daemon.

If you are using Unity, or a session manager that starts gnome-keyring-daemon, you can simply use Seahorse (Passwords and Keys) to establish a key, define what it is for, set a passphrase, and distribute its public key to the computer you are going to use with ssh. No terminal commands are necessary.

You create the password by:

1. selecting File->New and select Secure Shell Key. Press Continue.

2. Type in a descriptive name, and select Create and set up.

3. You will be prompted to enter a keyphrase twice (the second time to check that you didn't mis-enter it the first time.

4. Enter the computer to which the public key should be used and the user name on that computer for which you will be using the key. The public key will be copied to that other computer, prompting for your password on that computer if necessary.

Now the My Personal Keys tab will display the key.

Assuming gnome-keyring-daemon was started properly when you logged into Lightdm, and again by your session manager, when you first use the key with ssh you will be prompted for the keyphrase. In this dialog box you can provide the keyphrase, select the Details control and ask that the keyring be unlocked whenever you are logged in--automatically providing this key. Press OK

You may not be prompted in this way if there is another key available for logging into the remote computer.

After this has been accomplished the first Seahorse tab Passwords will list an "Unlock password entry" for the key name. Click on the triangle before "Passwords: Login" to see it.

The solution to your problem is using the ssh agent. You just have to unlock the password of your key once, after that it's retained in memory by the agent and used automatically

• Generate a private/public key pair with ssh-keygen -t dsa
• Copy the public key to the remote machine, usually this is ~/.ssh/authorized_keys (use ssh-copy-id for this)
• Run ssh-add before login in to the remote system, this will ask for your passphrase and store it
• Login to the remote system, no password necessary

ssh-agent is described well on the .net, for example here:

• http://grantingram.wordpress.com/2007/11/25/ubuntu-and-ssh-agent/
• http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#agent

Another advantage of ssh-agent is that if you login to the remote system with ssh -A [email protected] you can further ssh from the domain.name computer to a third computer containing your public key without every copying you private key to the domain.name computer (and it never sees your private key, only the one-time challenge/response).