1keychain(1) http://www.funtoo.org keychain(1)
2
6 keychain - re-use ssh-agent and/or gpg-agent between logins
7
9 keychain [ -hklQqV ] [ --clear --confhost --help --ignore-missing --list --noask
10 --nocolor --nogui --nolock --quick --quiet --version ]
11 [ --agents list ] [ --attempts num ] [ --dir dirname ]
12 [ --host name ] [ --lockwait seconds ]
13 [ --stop which ] [ --timeout minutes ] [ keys... ]
14
16 keychain is a manager for ssh-agent, typically run from
17 ~/.bash_profile. It allows your shells and cron jobs to easily share a
18 single ssh-agent process. By default, the ssh-agent started by
19 keychain is long-running and will continue to run, even after you have
20 logged out from the system. If you want to change this behavior, take
21 a look at the --clear and --timeout options, described below.
22 When keychain is run, it checks for a running ssh-agent, otherwise it
24 starts one. It saves the ssh-agent environment variables to
25 ~/.keychain/${HOSTNAME}-sh, so that subsequent logins and non-
26 interactive shells such as cron jobs can source the file and make
27 passwordless ssh connections.
28 In addition, when keychain runs, it verifies that the key files
30 specified on the command-line are known to ssh-agent, otherwise it
31 loads them, prompting you for a password if necessary. Typically,
32 private key files are specified by filename only, without path,
33 although it is possible to specify an absolute or relative path to the
34 private key file as well. If just a private key filename is used, which
35 is typical usage, keychain will look for the specified private key
36 files in ~/.ssh, ~/.ssh2, or with the -c/--confhost option, inspect the
37 ~/.ssh/config file and use the IdentityFile option to determine the
38 location of the private key. Private keys can be symlinks to the actual
39 private key.
40 Keychain expects associated public key files to exist in the same
42 directory as the private key files, with a .pub extension. If the
43 private key is a symlink, the public key can be found alongside the
44 symlink, or in the same directory as the symlink target (This
45 capability requires the 'readlink' command to be available on the
46 system.)
47 As an additional feature, if a private key has an extension ".ext",
49 keychain will look for privkey.ext.pub first, and if not found, will
50 look for privkeyname.pub.
51 Keychain also supports gpg-agent in the same ways that ssh-agent is
53 supported. By default keychain attempts to start ssh-agent only. You
54 can modify this behavior using the --agents option.
55 Keychain supports most UNIX-like operating systems, including Cygwin.
57 It works with Bourne-compatible, csh-compatible and fish shells.
58
60 --agents list
61 Start the agents listed. By default keychain will start ssh-agent
62 if it is found in your path. The list should be comma-separated,
63 for example "gpg,ssh"
64 --attempts num
66 Try num times to add keys before giving up. The default is 1.
67 --clear
69 Delete all of ssh-agent's keys. Typically this is used in
70 .bash_profile. The theory behind this is that keychain should
71 assume that you are an intruder until proven otherwise. However,
72 while this option increases security, it still allows your cron
73 jobs to use your ssh keys when you're logged out.
74 --confhost
76 By default, keychain will look for key pairs in the ~/.ssh/
77 directory. The --confhost option will inform keychain to look in
78 ~/.ssh/config for IdentityFile settings defined for particular
79 hosts, and use these paths to locate keys.
80 --confirm
82 Keys are subject to interactive confirmation by the SSH_ASKPASS
83 program before being used for authentication. See the -c option
84 for ssh-add(1).
85 --absolute
87 Any arguments to "--dir" are interpreted to be absolute. The
88 default behavior is to append "/.keychain" to the argument for
89 backwards compatibility.
90 --dir dirname
92 Keychain will use dirname rather than $HOME/.keychain
93 --query
95 Keychain will print lines in KEY=value format representing the
96 values which are set by the agents.
97 --eval
99 Keychain will print lines to be evaluated in the shell on stdout.
100 It respects the SHELL environment variable to determine if Bourne
101 shell or C shell output is expected.
102 --env filename
104 After parsing options, keychain will load additional environment
105 settings from "filename". By default, if "--env" is not given,
106 then keychain will attempt to load from ~/.keychain/[hostname]-env
107 or alternatively ~/.keychain/env. The purpose of this file is to
108 override settings such as PATH, in case ssh is stored in a non-
109 standard place.
110 -h --help
112 Show help that looks remarkably like this man-page. As of 2.6.10,
113 help is sent to stdout so it can be easily piped to a pager.
114 --host name
116 Set alternate hostname for creation of pidfiles
117 --ignore-missing
119 Don't warn if some keys on the command-line can't be found. This
120 is useful for situations where you have a shared .bash_profile, but
121 your keys might not be available on every machine where keychain is
122 run.
123 --inherit which
125 Attempt to inherit agent variables from the environment. This can
126 be useful in a variety of circumstances, for example when ssh-agent
127 is started by gdm. The following values are valid for "which":
128 local Inherit when a pid (e.g. SSH_AGENT_PID) is set in the
130 environment. This disallows inheriting a forwarded
131 agent.
132 any Inherit when a sock (e.g. SSH_AUTH_SOCK) is set in the
134 environment. This allows inheriting a forwarded agent.
135 local-once Same as "local", but only inherit if keychain isn't
137 already providing an agent.
138 any-once Same as "any", but only inherit if keychain isn't
140 already providing an agent.
141 By default, keychain-2.5.0 and later will behave as if "--inherit
143 local-once" is specified. You should specify "--noinherit" if you
144 want the older behavior.
145 -l --list
147 List signatures of all active SSH keys, and exit, similar to "ssh-
148 add -l".
149 --lockwait seconds
151 How long to wait for the lock to become available. Defaults to 5
152 seconds. Specify a value of zero or more. If the lock cannot be
153 acquired within the specified number of seconds, then this keychain
154 process will forcefully acquire the lock.
155 --noask
157 This option tells keychain do everything it normally does (ensure
158 ssh-agent is running, set up the ~/.keychain/[hostname]-{c}sh
159 files) except that it will not prompt you to add any of the keys
160 you specified if they haven't yet been added to ssh-agent.
161 --nocolor
163 Disable color hilighting for non ANSI-compatible terms.
164 --nogui
166 Don't honor SSH_ASKPASS, if it is set. This will cause ssh-add to
167 prompt on the terminal instead of using a graphical program.
168 --noinherit
170 Don't inherit any agent processes, overriding the default
171 "--inherit local-once"
172 --nolock
174 Don't attempt to use a lockfile while manipulating files, pids and
175 keys.
176 -k --stop which
178 Kill currently running agent processes. The following values are
179 valid for "which":
180 --systemd
182 Inject environment variables into the systemd --user session.
183 all Kill all agent processes and quit keychain immediately.
185 Prior to keychain-2.5.0, this was the behavior of the bare
186 "--stop" option.
187 others Kill agent processes other than the one keychain is
189 providing. Prior to keychain-2.5.0, keychain would do
190 this automatically. The new behavior requires that you
191 specify it explicitly if you want it.
192 mine Kill keychain's agent processes, leaving other agents
194 alone.
195 -Q --quick
197 If an ssh-agent process is running then use it. Don't verify the
198 list of keys, other than making sure it's non-empty. This option
199 avoids locking when possible so that multiple terminals can be
200 opened simultaneously without waiting on each other.
201 -q --quiet
203 Only print messages in case of warning, error or required
204 interactivity. As of version 2.6.10, this also suppresses
205 "Identities added" messages for ssh-agent.
206 --timeout minutes
208 Set a timeout in minutes on your keys. This is conveyed to ssh-
209 agent which does the actual timing out of keys since keychain
210 doesn't run continuously.
211 -V --version
213 Show version information.
214
216 This snippet should work in most shells to load two ssh keys and one
217 gpg key:
218 eval `keychain --eval id_rsa id_dsa 0123ABCD`
220 For the fish shell, use the following format:
222 if status --is-interactive
224 keychain --eval --quiet -Q id_rsa | source
225 end
226 If you have trouble with that in csh:
228 setenv SHELL /bin/csh
230 eval `keychain --eval id_rsa id_dsa 0123ABCD`
231 This is equivalent for Bourne shells (including bash and zsh) but
233 doesn't use keychain's --eval feature:
234 keychain id_rsa id_dsa 0123ABCD
236 [ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
237 [ -f $HOME/.keychain/$HOSTNAME-sh ] && \
238 . $HOME/.keychain/$HOSTNAME-sh
239 [ -f $HOME/.keychain/$HOSTNAME-sh-gpg ] && \
240 . $HOME/.keychain/$HOSTNAME-sh-gpg
241 This is equivalent for C shell (including tcsh):
243 keychain id_rsa id_dsa 0123ABCD
245 host=`uname -n`
246 if (-f $HOME/.keychain/$host-csh) then
247 source $HOME/.keychain/$host-csh
248 endif
249 if (-f $HOME/.keychain/$host-csh-gpg) then
250 source $HOME/.keychain/$host-csh-gpg
251 endif
252 To load keychain variables from a script (for example from cron) and
254 abort unless id_dsa is available:
255 # Load keychain variables and check for id_dsa
257 [ -z "$HOSTNAME" ] && HOSTNAME=`uname -n`
258 . $HOME/.keychain/$HOSTNAME-sh 2>/dev/null
259 ssh-add -l 2>/dev/null | grep -q id_dsa || exit 1
260
262 ssh-agent(1)
263
265 Keychain was created and is currently maintained by Daniel Robbins. If
266 you need to report a bug or request an enhancement, please post to the
267 Funtoo Linux bug tracker <http://bugs.funtoo.org>. For more
268 information about keychain, please visit
269 <http://www.funtoo.org/Keychain>.
2702.8.0 2015-03-21 keychain(1)