As a follow-up to the SSH: RSA keys, and ssh-agent for SSH keys and their passwords management post.
The idea now is to make simpler to work with password-protected SSH keys, to avoid the necessity to enter a password each time when you want to load a key to the
One of the possible solutions is to use KeePass, which will store keys and their passwords and will decrypt keys before load them to the
To achieve this – we need in three components – an ssh-client (
git, etc), the
ssh-agent which will keep unencrypted files to pass them to clients.
In the examples below the KeePassXC will be used instead of vanilla KeePass, but there is no difference in their configuration (the only difference here is that KeePassXC already has the plugin installed).
In total, the workflow looks like next:
ssh-agentis started, creates a UNIX-socket for communication with other components
- KeePass is started, where are keys and their passwords are stored, and KeePass will decrypt keys and push them to the ssh-agent using its UNIX-socket
- any ssh-agent is started, connects via the same socket to the ssh-agent, gets an RSA key for a connect requested by the user
Stop already running agents:
Start KeePass, go to the Tools > Settings > SSH Agent, enable it:
Restart KeePass and see the “No agent running, cannot add identity” error:
It’s OK for now as we didn’t start any agent yet. There are various ways to start it during system startup, check the Running ssh-agent with multitype terminals.
Adding an SSH key to the KeePass
Create a new item:
In the Password field specify a key’s password.
On the left side go to the SSH Agent, via External File chose the key’s file:
And let’s check how it will work.
Start an agent:
From the same terminal, to use the
$SSH_AUTH_SOCK variable restart KeePass:
Check keys available in the
~/.ssh/confg, add authentication with RSA key:
Host rtfm Hostname rtfm.co.ua User setevoy IdentityFile /home/setevoy/.ssh/test-key
Ty to log in:
“It works!”. (c)
“Require user confirmation when this key is used” and “sign_and_send_pubkey: signing failed: agent refused operation“
If you’ll also enable the “Require user confirmation when this key is used” option in the KeePass, during login you can face the “sign_and_send_pubkey: signing failed: agent refused operation” error:
To solve it – install the
And log in again:
openssh-askpass won’t work in Arch Linux, see