0

I am running Debian with an Xfce desktop environment and while I've tried many solutions, I always need to enter the passphrase once upon every reboot.

  • In macOS, I can simply use ssh-add -l > /dev/null || ssh-add -A and macOS' default keychain manager will remember the password in its keychain, resulting in no longer needing to enter the passphrase, but the -A won't work in Debian.

    I have the following in .bashrc: 
    if [ ! -S ~/.ssh/ssh_auth_sock ]; then
  eval `ssh-agent`
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
fi
export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
ssh-add -l > /dev/null || ssh-add
  • I've also tried using keychain, which I thought was the same as macOS' keychain, however keychian also requires the passphrase upon every reboot.

How can I get some Debian key manager to remember the passphrase securely, thereby avoiding the entering of the passphrase forever?

JW0914
  • 9,096
sgon00
  • 1,335

1 Answers1

2

Nearly all approaches involve PAM in one way or another, because your system login password is the only piece of information that's obtained without having to store it on disk.

The simplest method is pam_ssh which will automatically start ssh-agent and use your system password to load all keys from standard locations and from ~/.ssh/session-keys.d/.

On Debian the libpam-ssh package will automatically insert the module in the correct location. Other similar methods:

  • pam_gnome_keyring uses your login password to unlock GNOME Keyring, which stores passphrases for your SSH keys.
  • pam_ecryptfs uses your login password to unlock an encrypted eCryptFS filesystem, where you can place your keys without any passphrase.
  • pam_gnupg uses your login password to unlock keys stored in gpg-agent (which may be PGP, SSH, or S/MIME keys).

If you do not want the boot process to show any password prompts whatsoever... well, there's no secure way to store keys on your system. At best you can make use of a TPM chip or some other hardware token to store RSA keys without the possibility to extract them – they'll be bound to the hardware element they're on.

  • Many new computers come with a TPM module, or (in case of desktops) a pin header to connect one bought separately, or occasionally a "fTPM" emulated via firmware. Such modules can hold symmetric and asymmetric keys.
  • There are some USB "smart card" tokens providing either a PIV or OpenPGP interface, and both can be used for SSH. For laptops, some YubiKey models fit almost entirely inside a USB port.
grawity
  • 501,077