HOWTO: Load ssh Key at KDE Startup

in

The ssh program allows you to securely access systems across the network. By default ssh prompts you for your password on the remote system. If you setup a secure key you can skip the password prompts.

For instance:

$ ssh lefty.soaustin.net uname -a
Linux lefty.soaustin.net 2.6.26-2-686 #1 SMP Fri Aug 14 01:27:18 UTC 2009 i686 GNU/Linux

In this example I ran the uname command on the remote system lefty.soaustin.net. Since I've setup a secure ssh key, the command ran without prompting for a password.

Here is an easy -- but bad! -- procedure for setting up your ssh key: http://oreilly.com/pub/h/66

The problem with this procedure is that it tells you to create the key without a passphrase. The passphrase prevents unauthorized access to your ssh key. When your ssh key is secured by a passphrase, the key is useless to somebody who doesn't have the passphrase. If your ssh key does not have a passphrase, then every system you use is at risk if an attacker gets a hold of your key.

So, contrary to the instructions in that article, you should enter a passphrase when asked. That, unfortunately, makes the process a little more complicated, because now you have to unlock the key every time you start a session. You do that by running the ssh-add command, which will prompt you for the passphrase.

$ ssh-add
Enter passphrase for /home/chip/.ssh/id_dsa: (enter passphrase here)
Identity added: /home/chip/.ssh/id_dsa (/home/chip/.ssh/id_dsa)

If you run the KDE environment, you can skip the passphrase prompt by saving it in your secure KDE wallet. Here's how to do that.

First, load the ksshaskpass program. On Kubuntu (or similar Debian-based distributions) do this by running:

sudo aptitude install ksshaskpass

Second, create a KDE startup file that retrieves the passphrase from your wallet:

cat >~/.kde/Autostart/ssh-add.sh <<_EOT_
#!/bin/sh
export SSH_ASKPASS=/usr/bin/ksshaskpass
ssh-add </dev/null
_EOT_
chmod +x ~/.kde/Autostart/ssh-add.sh

Finally, run:

~/.kde/Autostart/ssh-add.sh

The first time you run this it will prompt for your ssh passphrase, unlock your ssh key, and save the passphrase to your KDE wallet. Subsequent times it will retrieve the passphrase from your wallet and unlock your ssh key -- without any prompts.

Now you can run ssh safely and securely, without any password prompts. That's because the key is protected by a passphrase that we keep stored in the KDE secure wallet.