Re: [gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

2009/5/12 Philipp Riegger :
> On Sun, 2009-05-10 at 22:18 -0700, Hilco Wijbenga wrote:
> I would recommend you to try
>
> [I] net-misc/keychain
>     Available versions:  2.6.6 2.6.8
>     Installed versions:  2.6.8(19:38:13 04/17/09)
>     Homepage:            http://www.gentoo.org/proj/en/keychain/
>     Description:         ssh-agent manager

I will have a look at that tonight. If that also fails, I guess I'll
try reinstalling everything related to SSH.

Re: [gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

2009/5/12 Etaoin Shrdlu :
> On Tuesday 12 May 2009, 11:17, Etaoin Shrdlu wrote:
>
>> > Does ssh-agent really ask you for a passphrase when starting a
>> > shell?
>>
>> Not if you don't invoke it :)
>
> Sorry, that is a bit unclear. Ssh-agent will never ask for a password.
> It's ssh-add that does (if you run it after the agent), assuming the key
> you're adding is password-protected.

Ssh-agent most certainly asks for a passphrase (although it may be
ssh-add that does the actual asking). As soon as I get to my first
login screen (I don't start from a GUI login), and I have logged in,
ssh-agent (or ssh-add, whatever) asks me for a passphrase for the DSA
key it finds. But it consistently ignores the RSA key.

Really, everything is (or at least seems to be) working wonderfully
*for DSA*. As you also indicated, it *should* work for both DSA and
RSA ... except that on my box it doesn't. :-(

Re: [gentoo-user] ssh-agent & RSA

[Philipp Riegger]

On Sun, 2009-05-10 at 22:18 -0700, Hilco Wijbenga wrote:
> Hi all,
[...]

I would recommend you to try

[I] net-misc/keychain
 Available versions:  2.6.6 2.6.8
 Installed versions:  2.6.8(19:38:13 04/17/09)
 Homepage:http://www.gentoo.org/proj/en/keychain/
 Description: ssh-agent manager


Philipp

Re: [gentoo-user] ssh-agent & RSA

[Etaoin Shrdlu]

On Tuesday 12 May 2009, 11:17, Etaoin Shrdlu wrote:

> > Does ssh-agent really ask you for a passphrase when starting a
> > shell?
>
> Not if you don't invoke it :)

Sorry, that is a bit unclear. Ssh-agent will never ask for a password. 
It's ssh-add that does (if you run it after the agent), assuming the key 
you're adding is password-protected.

Re: [gentoo-user] ssh-agent & RSA

[Etaoin Shrdlu]

On Tuesday 12 May 2009, 06:35, Hilco Wijbenga wrote:

> This works for me too but afterwards the key is completely ignored.
> What happens if you do this and then restart the shell? Or better yet,
> what happens if you logout completely and then log back in? For me,
> the RSA key is completely ignored.

The way ssh-agent is designed is to NOT survive after the shell it was 
started from is closed. That's why you should invoke it during your very 
first login shell, so that the variables it sets are exported to all 
child programs and subshells. If you do graphical login, I believe 
there's an equivalent tool that lets you run the agent from the parent 
environment.

One way of doing that is to put its invocation in .bashrc, but then it 
will run a new copy each time a new login shell is started. So tools 
like keychain have been developed which run ssh-agent, ask for the 
password, and on subsequent invocations check if the agent is already 
running, and if so they don't ask for the password again.
There's a nice article on keychain here:

http://www.gentoo.org/proj/en/keychain/

> Does ssh-agent really ask you for a passphrase when starting a shell?

Not if you don't invoke it :)

> Or at least list the RSA key? For me it's only the DSA key that is
> listed by ssh-agent (when it starts) and it's only for the DSA key
> that ssh-agent asks for a passphrase. Note, that ssh-add -L still
> lists the RSA key too!

As far as I know, as soon as ssh-agent is started, it has no keys. It's 
your job (or keychain's) to add keys to ssh-agent's cache. But I'm not 
sure I understand what you're getting.

Re: [gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

2009/5/11 Etaoin Shrdlu :
> On Monday 11 May 2009, 07:18, Hilco Wijbenga wrote:
>
>> 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa
>
> 3. mv ~/.ssh/id_rsa ~/.ssh/id_dsa

No, I had not tried that. :-) Exactly like that it doesn't work but if
I do a copy instead of a move then, yes, it works.

Ssh-agent finds the DSA key (still completely ignores the RSA key) in
both cases but SSH can't use it unless the RSA key is there so copying
"works". Somehow SSH is able to reuse the passphrase I typed for the
DSA key when the RSA key is used. Very strange.

> Seriously, did you try running ssh-add without arguments? Acrroding to
> the man, "When run without arguments, it adds the files ~/.ssh/id_rsa,
> ~/.ssh/id_dsa and ~/.ssh/identity".

:-) Yes, *that* I had tried ... many times. I had read the same which
lead me to believe this should work.

> It wors for me with an RSA key, anyway:
>
> $ ls .ssh/
> id_rsa       id_rsa.pub  known_hosts
> $ eval $(ssh-agent)
> Agent pid 22390
> $ ssh-add .ssh/id_rsa
> Identity added: .ssh/id_rsa (.ssh/id_rsa)

This works for me too but afterwards the key is completely ignored.
What happens if you do this and then restart the shell? Or better yet,
what happens if you logout completely and then log back in? For me,
the RSA key is completely ignored.

Does ssh-agent really ask you for a passphrase when starting a shell?
Or at least list the RSA key? For me it's only the DSA key that is
listed by ssh-agent (when it starts) and it's only for the DSA key
that ssh-agent asks for a passphrase. Note, that ssh-add -L still
lists the RSA key too!

> Did you try generating a new RSA key (just to see if it can be added)?

Yep, and no it doesn't make any difference. I even tried the default
bit length instead of -b 1536 that I normally use.

Re: [gentoo-user] ssh-agent & RSA

[Etaoin Shrdlu]

On Monday 11 May 2009, 07:18, Hilco Wijbenga wrote:

> 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa

3. mv ~/.ssh/id_rsa ~/.ssh/id_dsa

:)

Seriously, did you try running ssh-add without arguments? Acrroding to 
the man, "When run without arguments, it adds the files ~/.ssh/id_rsa, 
~/.ssh/id_dsa and ~/.ssh/identity".

It wors for me with an RSA key, anyway:

$ ls .ssh/
id_rsa   id_rsa.pub  known_hosts
$ eval $(ssh-agent)
Agent pid 22390
$ ssh-add .ssh/id_rsa
Identity added: .ssh/id_rsa (.ssh/id_rsa)

Did you try generating a new RSA key (just to see if it can be added)?

[gentoo-user] ssh-agent & RSA

[Hilco Wijbenga]

Hi all,

I'm running ssh-agent so I only have to type my passphrase once. At
least that was the plan. I'm trying to use an RSA key instead of DSA.
This does not seem to please ssh-agent. It seems to just look for
id_dsa and ignore the id_rsa.

(a) If I create a DSA key then it finds that and ignores the RSA key;
(b) if I delete the DSA key so that there is only an RSA key then
ssh-agent warns about the missing id_dsa and gives up;
(c) if I give the DSA an empty passphrase then ssh-agent is happy but
still ignores the RSA key.

I can't find anything in man ssh-add or man ssh-agent about this
behaviour. The man files says it looks for both files but so far I beg
to differ. :-) There don't seem to be any config files for ssh-agent?

Other things I've tried:

1. State "explicitely" in ssh-config to only use RSA:

Host *
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa
Protocol 2

Ssh-agent is not impressed. (Not too surprising as this file applies
to ssh, not ssh-agent, but it was worth a try.)

2. ssh-add -D ; ssh-add ~/.ssh/id_rsa

This is completely ignored. Ssh-agent simply behaves as in a, b, and c
(and, for a and c, puts the DSA key right back in the list).

I'm out of ideas. :-( Could anyone offer a suggestion? Does anyone
have ssh-agent working with an RSA key?

Please note that using a DSA key works. In that case ssh-agent finds
the key, asks for a passphrase and from then on I can use the key
without typing the passphrase. So I believe that I have set things up
correctly. Also note that I can use the RSA key, it's just that I have
to type the passphrase every time.

Cheers,
Hilco

Re: [gentoo-user] ssh-agent

[Mick]

On Monday 12 February 2007 23:26, Justin Patrin wrote:
> On 11/21/06, Jorge Almeida <[EMAIL PROTECTED]> wrote:
> > On Tue, 21 Nov 2006, Mick wrote:
> > >>> They are only stored in locked memory; they are never on disk
> > >>> unencrypted. Anyone that can read locked memory can access them, but
> > >>> this is very few users/processes on Linux -- and besides those same
> > >>> users will be able to read the key as you authenticate even if you
> > >>> don't use ssh-agent, as long as they time things right.
> > >>
> > >> OK, this sounds better! I posted to the gnupg-users, asking a similar
> > >> question about gpg-agent. I guess gpg-agent works the same way.
> > >
> > > Please post back your findings!
> >
> > Well, no responses yet in the gnupg-users list, so there are no findings
> > to post!  (Let's wait at least a few hours :))
> >
> > > What happens to the /tmp/ directory & socket file after the user logs
> > > out? Does it get deleted by the ssh-agent shutdown script?
> >
> > I didn't start using ssh-agent yet, but I tested it from the command
> > line and the directory was removed when I killed the ssh-agent process.
> >
> > > I am asking this because I seem to continuously accumulate a load of
> > > gpg-agent directories and socket files into my /tmp.  Unless of course
> > > gpg-agent works
> >
> > I suppose that has to do with the agent(s) working as daemons? I don't
> > like that kind of setup. This is what I intend to (try to) do:
> >
> > - One fixed socket, in some dedicated directory (no /tmp, no random name
> >for the socket)
> > - The socket name as a fixed env variable, set in the shell config files
> > - Hence, no need to eval, etc
> > - No daemon (i.e. no backgrounding). Just a service supervised by
> >daemontools. Logs go to a directory of my choosing and if the agent
> >dies, it is ressurrected, and the socket (with the same name) is
> >recreated (of course, keys must be added, then)
> > - A perl script to interact with the service, just in case.
> >
> > I think this is not difficult to do, unless I grossly misunderstood
> > something essential. (Comments, anyone?) I just don't see the need to
> > run the agent as subordinate of an X session or whatever (please someone
> > correct me if I'm wrong!) And if I don't want the service running when
> > I'm not logged in, I could bring it down with the perl script (in
> > ~/.bash_logout, maybe?)
> > For gpg-agent, I'm not so sure, but I hope it can be done too.
> >
> > > on a different principle all together.  My start up & shutdown scripts
> > > are in /etc/X11/Sessions/fluxbox.  Are they correct for this task?
> > > 
> > > eval "$(gpg-agent --daemon)"
> > > /usr/bin/startfluxbox
> > > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
> > > 
> > >
> > > Or should I have another line to 'rm -Rf /tmp/gpg-*'
>
> ssh-agent /bin/sh
>
> When you exit the shell, ssh-agent exits too (after cleaning up).
> Running the agent as a daemon means you have to tell it when to shut
> down as well (how would it know when to stop?).

Thanks Justin, the ssh-agent may clean up after its own lock-files, but the 
gpg-agent doesn't.  At least not when using my script above.  My /tmp is full 
of gpg- lock-files, which in the absence of a better solution I manually 
delete every now and then.
-- 
Regards,
Mick


pgpI61qjQWcCo.pgp
Description: PGP signature

Re: [gentoo-user] ssh-agent

[Justin Patrin]

On 11/21/06, Jorge Almeida <[EMAIL PROTECTED]> wrote:

On Tue, 21 Nov 2006, Mick wrote:
>>> They are only stored in locked memory; they are never on disk
>>> unencrypted. Anyone that can read locked memory can access them, but this
>>> is very few users/processes on Linux -- and besides those same users will
>>> be able to read the key as you authenticate even if you don't use
>>> ssh-agent, as long as they time things right.
>>
>> OK, this sounds better! I posted to the gnupg-users, asking a similar
>> question about gpg-agent. I guess gpg-agent works the same way.
>
> Please post back your findings!
>
Well, no responses yet in the gnupg-users list, so there are no findings
to post!  (Let's wait at least a few hours :))

> What happens to the /tmp/ directory & socket file after the user logs out?
> Does it get deleted by the ssh-agent shutdown script?
>
I didn't start using ssh-agent yet, but I tested it from the command
line and the directory was removed when I killed the ssh-agent process.
> I am asking this because I seem to continuously accumulate a load of gpg-agent
> directories and socket files into my /tmp.  Unless of course gpg-agent works
I suppose that has to do with the agent(s) working as daemons? I don't
like that kind of setup. This is what I intend to (try to) do:

- One fixed socket, in some dedicated directory (no /tmp, no random name
   for the socket)
- The socket name as a fixed env variable, set in the shell config files
- Hence, no need to eval, etc
- No daemon (i.e. no backgrounding). Just a service supervised by
   daemontools. Logs go to a directory of my choosing and if the agent
   dies, it is ressurrected, and the socket (with the same name) is
   recreated (of course, keys must be added, then)
- A perl script to interact with the service, just in case.

I think this is not difficult to do, unless I grossly misunderstood
something essential. (Comments, anyone?) I just don't see the need to
run the agent as subordinate of an X session or whatever (please someone
correct me if I'm wrong!) And if I don't want the service running when
I'm not logged in, I could bring it down with the perl script (in
~/.bash_logout, maybe?)
For gpg-agent, I'm not so sure, but I hope it can be done too.

> on a different principle all together.  My start up & shutdown scripts are
> in /etc/X11/Sessions/fluxbox.  Are they correct for this task?
> 
> eval "$(gpg-agent --daemon)"
> /usr/bin/startfluxbox
> kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2`
> 
>
> Or should I have another line to 'rm -Rf /tmp/gpg-*'
>



ssh-agent /bin/sh

When you exit the shell, ssh-agent exits too (after cleaning up).
Running the agent as a daemon means you have to tell it when to shut
down as well (how would it know when to stop?).

--
Justin Patrin
--
gentoo-user@gentoo.org mailing list