[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en/articles: openssh-key-management-p2.xml - gentoo-doc-cvs

From:	"Joshua Saddler (nightmorph)" <nightmorph@g.o>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en/articles: openssh-key-management-p2.xml
Date:	Wed, 20 Oct 2010 00:04:10
Message-Id:	`20101020000357.95FDA20054@flycatcher.gentoo.org`

1

nightmorph    10/10/20 00:03:57

2

3

  Modified:             openssh-key-management-p2.xml

4

  Log:

5

  update part 2 of the 'openssh key management' article. keychain works differently now, with different files created and sourced. added new code comments and GuideXML tags, as well. bug 341815. note that part 3, which also mentions the old functionality, will not be updated per comment 1.

6

7

Revision  Changes    Path

8

1.6                  xml/htdocs/doc/en/articles/openssh-key-management-p2.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml?rev=1.6&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml?rev=1.6&content-type=text/plain

12

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml?r1=1.5&r2=1.6

13

14

Index: openssh-key-management-p2.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml,v

17

retrieving revision 1.5

18

retrieving revision 1.6

19

diff -u -r1.5 -r1.6

20

--- openssh-key-management-p2.xml	26 Apr 2010 19:32:18 -0000	1.5

21

+++ openssh-key-management-p2.xml	20 Oct 2010 00:03:57 -0000	1.6

22

@@ -1,5 +1,5 @@

23

 <?xml version='1.0' encoding="UTF-8"?>

24

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml,v 1.5 2010/04/26 19:32:18 nightmorph Exp $ -->

25

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml,v 1.6 2010/10/20 00:03:57 nightmorph Exp $ -->

26

 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

27

28

 <guide link="/doc/en/articles/openssh-key-management-p2.xml" disclaimer="articles">

29

@@ -26,8 +26,8 @@

30

 document is an updated version of the original article, and contains

31

 various improvements made by the Gentoo Linux Documentation team -->

32

33

-<version>1.3</version>

34

-<date>2010-04-26</date>

35

+<version>1.4</version>

36

+<date>2010-10-19</date>

37

38

 <chapter>

39

 <title>Introducing ssh-agent and keychain</title>

40

@@ -180,37 +180,44 @@

41

42

<p>

43

 Here's a run-through of how keychain works. When started from your

44

-<path>~/.bash_profile</path>, it will first check to see whether an ssh-agent

45

-is already running. If not, then it will start ssh-agent and record the

46

-important SSH_AUTH_SOCK and SSH_AGENT_PID variables in the

47

-<path>~/.ssh-agent</path> file for safe keeping and later use. Here's the best

48

-way to start keychain; like using plain old ssh-agent, we perform the necessary

49

-setup inside <path>~/.bash_profile</path>:

50

+<path>~/.bash_profile</path>, it will first check to see whether an ssh-agent is

51

+already running. If not, then it will start ssh-agent and record the important

52

+SSH_AUTH_SOCK and SSH_AGENT_PID variables in the

53

+<path>~/.keychain/&lt;hostname&gt;-sh</path> file for safe keeping and later

54

+use. Here's the best way to start keychain; like using plain old ssh-agent, we

55

+perform the necessary setup inside <path>~/.bash_profile</path>:

56

 </p>

57

58

 <pre caption="Settings for ssh-agent in ~/.bash_profile">

59

 #!/bin/bash

60

-#example ~/.bash_profile file

61

+

62

+<comment># example ~/.bash_profile file</comment>

63

 /usr/bin/keychain ~/.ssh/id_rsa

64

-#redirect ~/.ssh-agent output to /dev/null to zap the annoying

65

-#"Agent PID" message

66

-source ~/.ssh-agent > /dev/null

67

+

68

+<comment># redirect ~/.keychain/ output to /dev/null to zap the annoying

69

+# "Agent PID" message</comment>

70

+source ~/.keychain/&lt;hostname&gt;-sh > /dev/null

71

+

72

+<comment># the environment variables are stored using a hostname-shell file,

73

+# so replace &lt;hostname&gt; with your hostname, and the standard "sh" with

74

+# "csh" or "fish" if you use either of those shells</comment>

75

 </pre>

76

77

<p>

78

-As you can see, with keychain we source the <path>~/.ssh-agent</path> file

79

-rather than evaluating output as we did when using ssh-agent directly. However,

80

-the result is the same -- our ever-important SSH_AUTH_SOCK is defined, and

81

-ssh-agent is running and ready for use. And because SSH_AUTH_SOCK is recorded

82

-in <path>~/.ssh-agent</path>, our own shell scripts and cron jobs can easily

83

-connect with ssh-agent just by sourcing the <path>~/.ssh-agent</path> file.

84

-keychain itself also takes advantage of this file; you'll remember that when

85

-keychain starts up, it checks to see whether an existing ssh-agent is running.

86

-If so, it uses the <path>~/.ssh-agent</path> file to acquire the proper

87

+As you can see, with keychain we source the

88

+<path>~/.keychain/&lt;hostname&gt;-sh</path> file rather than evaluating output

89

+as we did when using ssh-agent directly. However, the result is the same -- our

90

+ever-important SSH_AUTH_SOCK is defined, and ssh-agent is running and ready

91

+for use. And because SSH_AUTH_SOCK is recorded in <path>~/.keychain/</path>, our

92

+own shell scripts and cron jobs can easily connect with ssh-agent just by

93

+sourcing the <path>~/.keychain/&lt;hostname&gt;-sh</path> file.  keychain itself

94

+also takes advantage of this file; you'll remember that when keychain starts up,

95

+it checks to see whether an existing ssh-agent is running.  If so, it uses the

96

+appropriate file in <path>~/.keychain/</path> to acquire the proper

97

 SSH_AUTH_SOCK setting, thus allowing it to use the existing agent rather than

98

-starting a new one. keychain will start a new ssh-agent process only if the

99

-<path>~/.ssh-agent</path> file is stale (points to a non-existent ssh-agent) or

100

-if <path>~/.ssh-agent</path> itself does not exist.

101

+starting a new one.  keychain will start a new ssh-agent process only if the

102

+<path>~/.keychain/</path> file is stale (points to a non-existent ssh-agent) or

103

+if <path>~/.keychain/</path> itself does not exist.

104

 </p>

105

106

 </body>

107

@@ -236,11 +243,17 @@

108

109

 <pre caption="Enabling keychain in ~/.bash_profile">

110

 #!/bin/bash

111

-#on this next line, we start keychain and point it to the private keys that

112

-#we'd like it to cache

113

+

114

+<comment># on this next line, we start keychain and point it to the private keys that

115

+# we'd like it to cache</comment>

116

 /usr/bin/keychain ~/.ssh/id_rsa ~/.ssh/id_dsa

117

-source ~/.ssh-agent > /dev/null

118

-#sourcing ~/.bashrc is a good thing

119

+

120

+<comment># the environment variables are stored using a hostname-shell file,

121

+# so replace &lt;hostname&gt; with your hostname, and the standard "sh" with

122

+# "csh" or "fish" if you use either of those shells</comment>

123

+source ~/.keychain/&lt;hostname&gt;-sh > /dev/null

124

+

125

+<comment># sourcing ~/.bashrc is a good thing</comment>

126

 source ~/.bashrc

127

 </pre>

128

129

@@ -254,7 +267,7 @@

130

 Once you've configured your <path>~/.bash_profile</path> to call keychain at

131

 every login, log out and log back in. When you do, keychain will start

132

 ssh-agent, record the agent's environment variable settings in

133

-<path>~/.ssh-agent</path>, and then prompt you for passphrases for any private

134

+<path>~/.keychain/</path>, and then prompt you for passphrases for any private

135

 keys specified on the keychain command-line in <path>~/.bash_profile</path>:

136

 </p>

137

138

@@ -262,14 +275,14 @@

139

140

<p>

141

 Once you enter your passphrases, you private keys will be cached, and keychain

142

-will exit. Then, ~/.ssh-agent will be sourced, initializing your login session

143

-for use with ssh-agent. Now, if you log out and log back in again, you'll find

144

-that keychain will find the existing ssh-agent process; it didn't terminate

145

-when you logged out. In addition, keychain will verify that the private key(s)

146

-you specified are already in ssh-agent's cache. If not, then you'll be prompted

147

-for the appropriate passphrases, but if all goes well, your existing ssh-agent

148

-will still contain the private key that you previously added; this means that

149

-you're not prompted for a password:

150

+will exit. Then, <path>~/.keychain/&lt;hostname&gt;-sh</path> will be sourced,

151

+initializing your login session for use with ssh-agent. Now, if you log out and

152

+log back in again, you'll find that keychain will find the existing ssh-agent

153

+process; it didn't terminate when you logged out. In addition, keychain will

154

+verify that the private key(s) you specified are already in ssh-agent's cache.

155

+If not, then you'll be prompted for the appropriate passphrases, but if all goes

156

+well, your existing ssh-agent will still contain the private key that you

157

+previously added; this means that you're not prompted for a password:

158

 </p>

159

160

 <figure link="/images/docs/l-ssh-2.gif" caption="Keychain finds an existing ssh-agent"/>

161

@@ -291,12 +304,15 @@

162

 will "hook in" to the exact same ssh-agent process each time. Don't forget that

163

 you can also get your cron jobs and scripts to "hook in" to the running

164

 ssh-agent process. To use ssh or scp commands from your shell scripts and cron

165

-jobs, just make sure that they source your <path>~/.ssh-agent</path> file

166

-first:

167

+jobs, just make sure that they source your

168

+<path>~/.keychain/&lt;hostname&gt;-shell</path> file first:

169

 </p>

170

171

-<pre caption="Sourcing the ~/.ssh-agent file">

172

-$ <i>source ~/.ssh-agent</i>

173

+<pre caption="Sourcing the appropriate ~/.keychain/ file">

174

+<comment>(The environment variables are stored using a hostname-shell file, so replace

175

+&lt;hostname&gt; with your hostname, and the standard "sh" with "csh" or "fish"

176

+if you use either of those shells)</comment>

177

+$ <i>source ~/.keychain/&lt;hostname&gt;-sh</i>

178

 </pre>

179

180

<p>

1	nightmorph 10/10/20 00:03:57
2
3	Modified: openssh-key-management-p2.xml
4	Log:
5	update part 2 of the 'openssh key management' article. keychain works differently now, with different files created and sourced. added new code comments and GuideXML tags, as well. bug 341815. note that part 3, which also mentions the old functionality, will not be updated per comment 1.
6
7	Revision Changes Path
8	1.6 xml/htdocs/doc/en/articles/openssh-key-management-p2.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml?rev=1.6&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml?rev=1.6&content-type=text/plain
12	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml?r1=1.5&r2=1.6
13
14	Index: openssh-key-management-p2.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml,v
17	retrieving revision 1.5
18	retrieving revision 1.6
19	diff -u -r1.5 -r1.6
20	--- openssh-key-management-p2.xml 26 Apr 2010 19:32:18 -0000 1.5
21	+++ openssh-key-management-p2.xml 20 Oct 2010 00:03:57 -0000 1.6
22	@@ -1,5 +1,5 @@
23	<?xml version='1.0' encoding="UTF-8"?>
24	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml,v 1.5 2010/04/26 19:32:18 nightmorph Exp $ -->
25	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p2.xml,v 1.6 2010/10/20 00:03:57 nightmorph Exp $ -->
26	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
27
28	<guide link="/doc/en/articles/openssh-key-management-p2.xml" disclaimer="articles">
29	@@ -26,8 +26,8 @@
30	document is an updated version of the original article, and contains
31	various improvements made by the Gentoo Linux Documentation team -->
32
33	-<version>1.3</version>
34	-<date>2010-04-26</date>
35	+<version>1.4</version>
36	+<date>2010-10-19</date>
37
38	<chapter>
39	<title>Introducing ssh-agent and keychain</title>
40	@@ -180,37 +180,44 @@
41
42	<p>
43	Here's a run-through of how keychain works. When started from your
44	-<path>~/.bash_profile</path>, it will first check to see whether an ssh-agent
45	-is already running. If not, then it will start ssh-agent and record the
46	-important SSH_AUTH_SOCK and SSH_AGENT_PID variables in the
47	-<path>~/.ssh-agent</path> file for safe keeping and later use. Here's the best
48	-way to start keychain; like using plain old ssh-agent, we perform the necessary
49	-setup inside <path>~/.bash_profile</path>:
50	+<path>~/.bash_profile</path>, it will first check to see whether an ssh-agent is
51	+already running. If not, then it will start ssh-agent and record the important
52	+SSH_AUTH_SOCK and SSH_AGENT_PID variables in the
53	+<path>~/.keychain/<hostname>-sh</path> file for safe keeping and later
54	+use. Here's the best way to start keychain; like using plain old ssh-agent, we
55	+perform the necessary setup inside <path>~/.bash_profile</path>:
56	</p>
57
58	<pre caption="Settings for ssh-agent in ~/.bash_profile">
59	#!/bin/bash
60	-#example ~/.bash_profile file
61	+
62	+<comment># example ~/.bash_profile file</comment>
63	/usr/bin/keychain ~/.ssh/id_rsa
64	-#redirect ~/.ssh-agent output to /dev/null to zap the annoying
65	-#"Agent PID" message
66	-source ~/.ssh-agent > /dev/null
67	+
68	+<comment># redirect ~/.keychain/ output to /dev/null to zap the annoying
69	+# "Agent PID" message</comment>
70	+source ~/.keychain/<hostname>-sh > /dev/null
71	+
72	+<comment># the environment variables are stored using a hostname-shell file,
73	+# so replace <hostname> with your hostname, and the standard "sh" with
74	+# "csh" or "fish" if you use either of those shells</comment>
75	</pre>
76
77	<p>
78	-As you can see, with keychain we source the <path>~/.ssh-agent</path> file
79	-rather than evaluating output as we did when using ssh-agent directly. However,
80	-the result is the same -- our ever-important SSH_AUTH_SOCK is defined, and
81	-ssh-agent is running and ready for use. And because SSH_AUTH_SOCK is recorded
82	-in <path>~/.ssh-agent</path>, our own shell scripts and cron jobs can easily
83	-connect with ssh-agent just by sourcing the <path>~/.ssh-agent</path> file.
84	-keychain itself also takes advantage of this file; you'll remember that when
85	-keychain starts up, it checks to see whether an existing ssh-agent is running.
86	-If so, it uses the <path>~/.ssh-agent</path> file to acquire the proper
87	+As you can see, with keychain we source the
88	+<path>~/.keychain/<hostname>-sh</path> file rather than evaluating output
89	+as we did when using ssh-agent directly. However, the result is the same -- our
90	+ever-important SSH_AUTH_SOCK is defined, and ssh-agent is running and ready
91	+for use. And because SSH_AUTH_SOCK is recorded in <path>~/.keychain/</path>, our
92	+own shell scripts and cron jobs can easily connect with ssh-agent just by
93	+sourcing the <path>~/.keychain/<hostname>-sh</path> file. keychain itself
94	+also takes advantage of this file; you'll remember that when keychain starts up,
95	+it checks to see whether an existing ssh-agent is running. If so, it uses the
96	+appropriate file in <path>~/.keychain/</path> to acquire the proper
97	SSH_AUTH_SOCK setting, thus allowing it to use the existing agent rather than
98	-starting a new one. keychain will start a new ssh-agent process only if the
99	-<path>~/.ssh-agent</path> file is stale (points to a non-existent ssh-agent) or
100	-if <path>~/.ssh-agent</path> itself does not exist.
101	+starting a new one. keychain will start a new ssh-agent process only if the
102	+<path>~/.keychain/</path> file is stale (points to a non-existent ssh-agent) or
103	+if <path>~/.keychain/</path> itself does not exist.
104	</p>
105
106	</body>
107	@@ -236,11 +243,17 @@
108
109	<pre caption="Enabling keychain in ~/.bash_profile">
110	#!/bin/bash
111	-#on this next line, we start keychain and point it to the private keys that
112	-#we'd like it to cache
113	+
114	+<comment># on this next line, we start keychain and point it to the private keys that
115	+# we'd like it to cache</comment>
116	/usr/bin/keychain ~/.ssh/id_rsa ~/.ssh/id_dsa
117	-source ~/.ssh-agent > /dev/null
118	-#sourcing ~/.bashrc is a good thing
119	+
120	+<comment># the environment variables are stored using a hostname-shell file,
121	+# so replace <hostname> with your hostname, and the standard "sh" with
122	+# "csh" or "fish" if you use either of those shells</comment>
123	+source ~/.keychain/<hostname>-sh > /dev/null
124	+
125	+<comment># sourcing ~/.bashrc is a good thing</comment>
126	source ~/.bashrc
127	</pre>
128
129	@@ -254,7 +267,7 @@
130	Once you've configured your <path>~/.bash_profile</path> to call keychain at
131	every login, log out and log back in. When you do, keychain will start
132	ssh-agent, record the agent's environment variable settings in
133	-<path>~/.ssh-agent</path>, and then prompt you for passphrases for any private
134	+<path>~/.keychain/</path>, and then prompt you for passphrases for any private
135	keys specified on the keychain command-line in <path>~/.bash_profile</path>:
136	</p>
137
138	@@ -262,14 +275,14 @@
139
140	<p>
141	Once you enter your passphrases, you private keys will be cached, and keychain
142	-will exit. Then, ~/.ssh-agent will be sourced, initializing your login session
143	-for use with ssh-agent. Now, if you log out and log back in again, you'll find
144	-that keychain will find the existing ssh-agent process; it didn't terminate
145	-when you logged out. In addition, keychain will verify that the private key(s)
146	-you specified are already in ssh-agent's cache. If not, then you'll be prompted
147	-for the appropriate passphrases, but if all goes well, your existing ssh-agent
148	-will still contain the private key that you previously added; this means that
149	-you're not prompted for a password:
150	+will exit. Then, <path>~/.keychain/<hostname>-sh</path> will be sourced,
151	+initializing your login session for use with ssh-agent. Now, if you log out and
152	+log back in again, you'll find that keychain will find the existing ssh-agent
153	+process; it didn't terminate when you logged out. In addition, keychain will
154	+verify that the private key(s) you specified are already in ssh-agent's cache.
155	+If not, then you'll be prompted for the appropriate passphrases, but if all goes
156	+well, your existing ssh-agent will still contain the private key that you
157	+previously added; this means that you're not prompted for a password:
158	</p>
159
160	<figure link="/images/docs/l-ssh-2.gif" caption="Keychain finds an existing ssh-agent"/>
161	@@ -291,12 +304,15 @@
162	will "hook in" to the exact same ssh-agent process each time. Don't forget that
163	you can also get your cron jobs and scripts to "hook in" to the running
164	ssh-agent process. To use ssh or scp commands from your shell scripts and cron
165	-jobs, just make sure that they source your <path>~/.ssh-agent</path> file
166	-first:
167	+jobs, just make sure that they source your
168	+<path>~/.keychain/<hostname>-shell</path> file first:
169	</p>
170
171	-<pre caption="Sourcing the ~/.ssh-agent file">
172	-$ <i>source ~/.ssh-agent</i>
173	+<pre caption="Sourcing the appropriate ~/.keychain/ file">
174	+<comment>(The environment variables are stored using a hostname-shell file, so replace
175	+<hostname> with your hostname, and the standard "sh" with "csh" or "fish"
176	+if you use either of those shells)</comment>
177	+$ <i>source ~/.keychain/<hostname>-sh</i>
178	</pre>
179
180	<p>

Gentoo Archives: gentoo-doc-cvs