On Tue, 8 Jul 2003, Jamie Wilkinson wrote:
> Hey slugs,
>
> 2 parts to this:
>
> Does anyone know of a way to have a single ssh-agent running on a machine
> per user, so that when they log in on the console, or via {k,g,x}dm, or ssh,
> only one ssh-agent is running?
if you run ssh-agent without giving it a child command to run, then it
outputs a bunch of stuff you can run in a shell command:
SSH_AUTH_SOCK=/tmp/ssh-8e1dxwe3/agent.24927; export SSH_AUTH_SOCK;
SSH_AGENT_PID=24928; export SSH_AGENT_PID;
echo Agent pid 24928;
You could pipe that to a file in the user's home directory which you will
run as part of your login procedure, whether that be through a .xsession,
a .profile, or whatever.
You will need to be able to identify whether the agent is actually
running or not, and start it if necessary. I'm guessing that
$SSH_AUTH_SOCK dissapears when the agent dies.
You also need to think about when the agent should die, and make that
happen.
As always, be aware that anyone who can connect to the agent socket can
authenticate using whatever keys the agent has. You've got to trust the
root user. I bring this up because if you're logging in via ssh, then
it's worth thinking whether you should be logging in to somewhere else
from there rather than connecting directly. Personally I don't like to
put extra machines in the middle of the connection.
> Does anyone know how to have ssh keys loaded into ssh-agent without having
> ssh-add ask for a passphrase, until that key is used? So I can have all the
> keys I use loaded at ssh-agent start, but I get prompted for a passphrase on
> the key only when ssh tries to use that key? Or perhaps a way for the key
> to get added to ssh-agent when ssh needs it?
That would be seriously insecure.
Andrew
--
No added Sugar. Not tested on animals. May contain traces of Nuts. If
irritation occurs, discontinue use.
-------------------------------------------------------------------
Andrew McNaughton In Sydney
Working on a Product Recommender System
[EMAIL PROTECTED]
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
