On 11/27/18 2:05 PM, Ionel Mugurel Ciobîcă wrote: > On 27-11-2018, at 13h 33'55", Ionel Mugurel Ciobîcă wrote about "issues with > stretch, part 1 of many" >> >> >> Dear all, >> [...] >> >> The first question I want to ask relates to ssh, ssh-ask and >> ssh-agent. When I ssh to another computer I am asked "Allow use of key >> id_rsa? Key fingerprint ..." If I uninstall all ssh-ask programs I >> simply can't use the ssh-agent anymore and I am prompted for password. >> I try ssh-ask, ssh-ask-fullscreen, ssh-ask-gnome and the similar from >> kde. I check the /etc/ssh/ssh_config and /etc/ssh/sshd_config for >> anything that may relate to this. The only think coming close are: >> UsePAM yes >> ChallengeResponseAuthentication no >> >> Is there something I overlook? >> >> To be clear, I do not want to be asked if I allow the use of a key, I >> just want this to be assumed yes, as it was the case in the past. >> >> So, I run Linux 4.9.0-8-amd64, Debian 9u6. ssh is openssh_7.4p1, >> openssl 1.0.2l ssh-agent is started in $HOME/.xsessionrc as: >> eval `ssh-agent -s` >>
Good Day Ionel, According to my experience, when ssh-agent is started, it is ready store passphrase and decipher the private key. However, it doesn't do this automatically when I type my passphrase at a connection attempt. Before issuing any SSH connection, I run ssh-add and type my passphrase. Afterwards, I can connect to any machine accepting my key. I'm not exactly sure this is the right way to do it in terms of security, but it does the job in terms of convenience. :^) Concerning ssh-ask programs, they are merely useful in situations where the SSH client has no access to the terminal. > A hint of the followup questions already is given by the ssh-agent the > first time when the passphrase is introduced, by announcing: "Enter > passphrase for id_rsa (will confirm each use):". > > I do not want to confirm each usage. My .xsession(rc) contains many > calls of "xterm -e ssh ..." using -geometry to position the xterms, > and all of those "allow use of key..." questions agglomerates on the > same place, one on top of each other. I do not understand conceptually > why this would be desired (to be asked again and again). The point of > ssh-agent was to make it simpler, not more complicated. If I want to > be asked, I will not use the agent, so I can input password when > connecting... You should probably run your connections in a side script instead of your session startup script. This way, you have a chance to run ssh-add before issuing connections, but after starting the SSH agent. Have a look at ssh-add(1) and ssh-agent(1) manual pages, there may be a few things you might be interested in. > Kind regards, Kind regards to you too, -- Étienne Mollier <etienne.moll...@mailoo.org>
