Mailing List Archive

On Wednesday 18 March 2009 08:26:30 rozelak@volny.cz wrote:
> Hallo, I would like to ask a simple question. Please take my apologies
> it it has already been addressed, but I didn't find answer for it.
>
> I have key-based access to a ssh server (running openssh) and ssh-agent
> running. When I add the key to agent (ssh-add ...), everything works
> as expected without problems. I have also set 'IdentityFile = path_to_key'
> to that key in ~/.ssh/config. Now, when I use ssh and the key IS NOT
> added to ssh-agent, ssh asks for the password to the key and uses it
> for authentication. Still no problem. Also when I use e.g. subversion
> (using svn+ssh protocol) from command line, it (or the ssh) asks for
> the password to the key and again, uses the key for the authentication
> to the server.
>
> However, when I use sh or subversion again, it asks for the password
> to the key again; everytime I use it. It looks like:
>
[...snipped...]
> So, the question is: is there a possibility to configure ssh to
> automatically add the key to running ssh-agent, when the ssh recognises
> that key is required and checks that the password is OK (which ssh already
> does)? To behave it like:
[...snipped...]
>
> It would allow to use the key once it is needed, and even GUI-based apps
> could set it without the need to switch to console.
>

Yes, you can do this.. These days, my distro handles proper setup of ssh-agent
when I log in, but if you want to do it manually, you can. Simply change your
account startup so it runs "ssh-agent startx" instead of just "startx" (for
example).

You will still need to do the ssh-add when you first log in, but after that you
should be good.

>
> Tank you very much for your answer. Best regards,
> Dan

Regards,
Jeff

Od: "Jeff MacDonald" <jam@zoidtechnologies.com>
Komu: secureshell@securityfocus.com
Pøedmìt: Re: Can ssh add keys to ssh-agent?
Datum: 20.3.2009 - 16:12:29

> >
> > It would allow to use the key once it is needed,
> > and even GUI-based apps
> > > could set it without the need to switch to console.
> > >
>
> Yes, you can do this.. These days, my distro handles
> proper setup of ssh-agent
> when I log in, but if you want to do it manually, you
> can. Simply change your
> account startup so it runs "ssh-agent startx" instead
> of just "startx" (for
> example).
>
> You will still need to do the ssh-add when you first
> log in, but after that you
> should be good.
>

Thank you. I know about this possibility, but it is not exactly what
I wanted. As I log-in to svn (and the other servers using the keys)
only time-to-time (basically less often than I log into the computer),
I would like to set the key only when really required. Writing (quite
complicated) password each time I login is not very comfortable (I have
tried it ...).

If a ssh developper could point me where to look at the code, I could
try to hack on it. If you are not against such option, please tell me
where to start.

Best regards,
Dan

rozelak@volny.cz wrote:
> I wanted. As I log-in to svn (and the other servers using the keys)
> only time-to-time (basically less often than I log into the computer),
> I would like to set the key only when really required. Writing (quite
> complicated) password each time I login is not very comfortable (I have
> tried it ...)
Hint: some clever shell scripting would solve all your problems...

My shells all use a unified agent which only triggers once the first
time I need to ssh (or if the agent is killed/restart or my key was not
already loaded for some reason etc..)

Trying to rustle up some l33t profile to do all this is left as an
exercise to the reader...

(no you cannot have mine, it's part of my bash profile which is
approaching 2000 lines so you can tell I _love_ my shell... :-) )

-h

--
Hari Sekhon
Always open to interesting opportunities
http://www.linkedin.com/in/harisekhon

On Mon, Mar 23, 2009 at 05:47:12PM +0000, Hari Sekhon wrote:
> My shells all use a unified agent which only triggers once the first
> time I need to ssh (or if the agent is killed/restart or my key was not
> already loaded for some reason etc..)

I don't see any way to do this that isn't a horrible hack involving
parsing the output of "ps" or your operating system's equivalent (such
as /proc). ssh-agent is intended to be run as the ancestor of all the
processes of your session (e.g. eval `ssh-agent -s` in your .xsession or
.profile file), so that they all inherit the same environment variables
pointing to the same agent.

If ssh-agent isn't already running at the time your ssh command is
triggered, then you're (potentially) going to have multiple xterms
running around with no SSH_AUTH* variables set. If you try to detect
the presence or absence of an agent running under your UID using some
ps/pgrep hackery, not only do you get the error-prone-ness of parsing
process names (processes can change their own names, invoke other
processes under pseudonyms, etc.), but you also create a race condition.

Consider something like this (bash syntax):

ssh() {
if ! pgrep -u $LOGNAME ssh-agent >/dev/null; then
# Agent is not running
eval $(ssh-agent -s)
ssh-add
else
ssh-add -L >/dev/null 2>&1
if [ $? = 1 ]; then
# Agent running, but no key loaded
ssh-add
fi
fi
command ssh "$@"
unset -f ssh
}

Looks good at first glance, right? But consider two xterms started
without a parent agent, so that they have no SSH_AUTH* variables, etc.
You start an "ssh" command in each one. Each one runs the pgrep, sees
there's no agent running under your name, and then runs ssh-agent -s to
set one up. Now you've got two agents, and two shells with different
environment variables pointing to the different agents. Not to mention
two ssh-add passphrase prompts, which is the thing you were trying to
avoid all along.

I wouldn't recommend anything other than putting eval $(ssh-agent -s) or
its equivalent into your primary login session file (.xinitrc or .xsession
or .profile or .login or whatever makes sense for your login). You can
then either do an ssh-add at that time (which is what I do, personally),
or you could write an override function like this (again, bash syntax):

ssh() {
ssh-add -L >/dev/null 2>&1
[ $? = 1 ] && ssh-add
command ssh "$@"
unset -f ssh
}

Since this doesn't involving checking for an agent, you avoid the
multiple-agent race condition I pointed out earlier. There's still
a race condition when you check whether the key is already loaded,
but the worst you can do here is get an extra passphrase prompt,
which is relatively harmless.

Greg Wooledge wrote:
> Now you've got two agents, and two shells with different
> environment variables pointing to the different agents. Not to mention
> two ssh-add passphrase prompts, which is the thing you were trying to
> avoid all along.
>
<snip>
> There's still
> a race condition when you check whether the key is already loaded,
> but the worst you can do here is get an extra passphrase prompt,
> which is relatively harmless.
>
Either way, not the end of the world. Even if somehow you ended up with
2 ssh-agents running, it would be no big deal at all since it wouldn't
stop anything from working that I can think of. I have been using
similar techniques + more for a long time without ever having any
problem, never a single (second/re)-prompt or second agent, not to
mention the fact that I don't ever have to type ssh-add, it works
transparently between my xterm, ssh sessions, console etc...

-h

--
Hari Sekhon
Always open to interesting opportunities
http://www.linkedin.com/in/harisekhon