Posted by & filed under Developer Blog.

Background

I’m in the process of setting up a new Droplet on DigitalOcean. Mine is a Ubuntu droplet. The joy about DigitalOcean is that you have full control over your (super fast) server (and at a great price). You want Apache? you can install it yourself. You want git? same deal. Trying out node.js? You get the idea. Of course with the good comes the bad. You have all the power and all the responsibility. So, when I installed ssh in order to use git without constant username and password prompts, I ran into some issues.

The Problem

Once you set up ssh to be used with ssh keys, it relies on the ssh-agent to be running to serve up those keys to other apps (like git). The problem is, once you log out of your session on the server (via ssh) the ssh-agent also goes away and no longer serves up the keys. When you log back in and do something like `git pull` you are likely to be greeted with a message saying

Permission denied (publickey).

and through a little digging, you might even come up with the error

Could not open a connection to your authentication agent.

This is because the ssh-agent process has stopped. To start it back up, you would use

ssh-agent /bin/bash

But that’s a pain to do every time you log into your server.

The Solution

The solution I chose uses a helpful app called Keychain. This should not be confused with Mac OS X Keychain, because they are not the same thing. Keychain is is a program designed to help you easily manage your SSH keys with minimal user interaction. It is implemented as a shell script which drives both ssh-agent and ssh-add. A notable feature of Keychain is that it can maintain a single ssh-agent process across multiple login sessions. This means that you only need to enter your passphrase once each time your local machine is booted.

Installation

With Ubuntu you can use apt-get to install keychain fairly painlessly

apt-get install keychain

More info on Keychain usage

Tricks

If you are like me, and you do not want to run the Keychain command or get asked for your passphrase every time you login, you may add the following to your .bashrc (or .bash_aliases if that’s how you roll):

alias ssh='eval $(/usr/bin/keychain --eval --agents ssh -Q --quiet ~/.ssh/*_rsa) && ssh'

A few things to note with the alias line above.

  • This basically checks to see if Keychain is doing it’s thing already, and if not, get it going.
  • The reason for the alias, is that it’s basically tacking itself onto the very command you would want Keychain for in the first place—in this case: ssh. This means that the first time you actually attempt to connect via ssh it will just work. No hassle.
  • Most examples of the line above will give you a concrete file path to the ssh key, but I attempted it with the wildcard (*) and it works great. If you are like me and use different keys for different services (GitHub and BitBucket for example), then this might be very useful to you. If you only use id_rsa then feel free to plug that in. The important thing to know is that you are putting the path to your keys in that spot. I’m sure you can find many more examples to suit your style on google

But Wait, There’s More

The alias above is the one you will see all over the place as a suggestion to use with Keychain, but it only works if you use ssh as your trigger. What about the original problem of using `git pull` and seeing errors? Well, it turns out you can use another similar alias

alias git='eval $(/usr/bin/keychain --eval --agents ssh -Q --quiet ~/.ssh/*_rsa) && git'

which accomplishes the same exact thing when you run your first git command after restarting your machine.

Let me know in the comments section if this helped you!