I hate typing in passwords. Everyone hates typing in passwords. When dealing with remote computers there are many many passwords to type in, and that’s why we have SSH with keys.
ssh-agent with zsh & keychain on Mac OS X
After generating two files (keys) using OpenSSL, copy one of them to ~/.ssh on the remote computer and the other to ~/.ssh on your local computer. Future logins to the remote computer no longer require a password. For more information on how to set this up see Dave Aaldering’s SSH with Keys HOWTO. This can also be done using the confusingly named SSH Agent application on Mac OS X.
For security reasons, the keys you generate should be protected by a password. Now you’re back to square one, having to type a password for every remote login. The improvement being it’s the same password for multiple machines.
The next step is to cache the password in memory the first time it is used - that way you only type the password once for multiple logins. This is done using ssh-agent, which is part of the SSH suite. To go one step futher and make sure you only ever have one instance of ssh-agent running use the keychain script.
I use the zsh shell. Here are the steps to installing the keychain script and having it load your keys for evey new terminal window:
Install the keychain script. I simply copied the keychain file to /usr/local/bin/keychain - this requires an administrator password:
tar -x --bzip2 -f keychain-2.6.2.tar.bz2 cd keychain-2.6.2 sudo install keychain /usr/local/bin/
You can now discard the downloaded archive and the keychain folder.
Add the following to your zsh startup file, ~/.zlogin. If this file doesn’t exist you need to create it.
/usr/local/bin/keychain id_dsa [[ -f ~/.keychain/macbook.local-sh ]] && source ~/.keychain/macbook.local-sh
Replace macbook.local in the above script with your computer’s host-name. You can find or change this in System Preferences under Sharing.
That’s it! After each reboot, the first time you open a terminal window you will be asked for the password for your keys. Thereafter they will be cached in memory.
For more information or login scripts for other shells - bash or csh - see the keychain man page