why use ssh-agent and keychain

[flazz]

i'm reading the keychain guide and i dont really see a reason for this. could someone explain to me the benefit of using these programs when as long as i have the keys set up in the traditional way all i have to do is 'ssh computer'.

[jk3us]

It is considered good practice to put a passphrase on your ssh keys. If you do this, then every time you 'ssh computer' you will be prompted for your passphrase. ssh-agent/keychain allows you to enter your password once for a session and ssh-agent decrypts your key and stores it securely in memory so that you do not need to enter your passphrase each time.

[benster]

I think the difference comes down to whether or not you use a passphrase with your private key. If you do, then you still have to enter in a password to decrypt the local private key before it may be used with your connection. The benefit to ssh-agent then is that it keeps your secret key (unencrypted by the passphrase you entered only once) cached (and available to applications you start from that shell or X session) so that you don't have to enter that single password for the secret key every time you use ssh public key authentication to another machine.

But if you're like some people I know, then you have no passphrase at all on your secret key and then the benefit presented by ssh-agent as far as single-link SSHing goes is only one of a little security (assuming your password is good).

But what is cooler is SSH Agent Forwarding. Described in this SecurityFocus article, ssh-agent can also do multi-hop forwarding, so no matter what convoluted web of SSHing you do from your client to remove machine and further sshing from the remote machine to others, you only need the secret key to reside on the client - successive multi-hop ssh sessions all talk back securely to the original client to authenticate. So you only need one copy of the secret key. So if you SSH to a firewall machine and then into a real machine inside the firewall on a LAN from outside, ssh-agent could help you not need a copy of your secret key on the firewall machine, but just on your client machine.

So if you have some convoluted ssh'ing going on, then ssh-agent seems like it could be a useful thing. But if you're just one-hop sshing to other machines, and if you're willing to not use a passphrase for you key, then you don't need ssh-agent. But if your box gets rooted and your secret keys aren't passphrased, the intruder now has access to all the machines you setup passwordless public-key ssh with. Depends on how paranoid you're feeling.

[flazz]

excelent responses, thanks

my biggest problem with using passphrases is that i have automated scripts that get output from remote commands and as far as i know there is not way to enter the passphrase or password as part of a command line ssh call.

a cron example example:

[think4urs11]