On 2020-04-06, Paul de Weerd <[email protected]> wrote: > Hi all, > > After a discussion at work, I started looking at enabling confirmation > before authentication through ssh-agent by default. When logging in > through xdm, the default Xsession runs `ssh-add < /dev/null` (see line > 36 in /etc/X11/xdm/Xsession). My keys are loaded and I can log in to > remote hosts. On some machines, I skip loading the keys or unload > them after logging in and then load or re-add them using ssh-add -c, > so I am asked for confirmation every time the agent is used.
ITYM /etc/X11/xenodm/Xsession :-) > However, I would like this to be the default on my machines. Is there > an easy way to achieve this without carrying a local diff? I checked > the ssh-keygen manpage to see if there are any key-options that force > this, but couldn't find anything (the options are generally to limit > what happens on the remote end). ssh-add allows for it (obviously), > but then you need a change to the command line, and that's in a system > file: I don't want to propose that as a diff, as I don't think this > makes sense in all cases (I have other machines where I wouldn't want > this to happen by default). > > How are others doing this? > > Thanks, > > Paul > I had a similar problem (I wanted some extra keys added by default). Xsession is in the xetc set, so it can be modified without being overwritten in a standard upgrade, you just need to sysmerge it sometimes. I have a different related problem as well, I would like to add *some* keys with -c and others without (i.e. confirm for connecting to more important hosts), but don't really want to have to run ssh-add twice (i.e. ask for the passphrase twice).
