Re: asking passphrase only on first use

From: George Georgalis (george_at_galis.org)
Date: 03/08/04

  • Next message: Bob Rasmussen: "Re: HP-UX: ssh connections ignore CTRL+C interrupts"
    Date: Mon, 8 Mar 2004 14:14:44 -0500
    To: secureshell@securityfocus.com
    
    

    On Sun, Mar 07, 2004 at 05:27:50PM +0000, Mathieu Doidy wrote:
    >Hi,
    >
    >I am using ssh-agent and ssh-add as part of the authorization
    >process for remote login. I was wondering if it was
    >possible to have the prompt for the passphrase only when really
    >required and not when ssh-add is started.
    >
    >In the case where different keys are used (it seems to be a good
    >idea not to use the same key everywhere but i might be wrong),
    >for the moment, you have to enter the passphrase for all of them
    >even if you won't use them. In the case where ssh-add is started
    >in the .xinitrc/.xsession, it can be quite cumbersome to enter
    >5 passphrases in a row independently of the fact you will use
    >the associated keys or not during that session.

    I use to use .xinitrc/.xsession for ssh-agent/add but have since come up
    with these scripts which cover the case when I'm not logging in through
    X. I've not tried it with multiple keys, but suspect it will save you
    from entering each more than once for each shell environment, if that's
    the problem. (BTW I keep any "special keys" in a directory relevant to
    their function and specify them specifically on the ssh/ssh-add command
    line)

    These commands invoked from .bashrc will add an ssh-agent if appropriate
    (PS1 is set) and there is no instance already available. The particular
    agent is then killed from .bash_logout.

    There is a bug in that some ssh-agent instances aren't removed on logout
    (I see some in my ps tree when there shouldn't be), but that might be an
    artifact of old ssh-agent invocations in my .xinitrc/.xsession, haven't
    worked it all out yet.)

    # if this is a login shell (PS1 is set) and
    # if there is no $SSH_AGENT_PID and
    # there is an ssh id file then assign
    # SSH_AGENT_SHELL_PID[$$]=$SSH_AGENT_PID
    # so this and only this $SSH_AGENT_PID
    # can be killed from .bash_logout
    [ -n "$PS1" -a -z "$SSH_AGENT_PID" ] \
            && [ -f ~/.ssh/id_dsa -o -f ~/.ssh/id_rsa -o -f ~/.ssh/identity ] \
            && eval `ssh-agent` </dev/null \
            && ssh-add \
            && SSH_AGENT_SHELL_PID=([$$]=${SSH_AGENT_PID})
    # in .bash_logout use
    #kill ${SSH_AGENT_SHELL_PID[$$]} 2>/dev/null \
    # || echo ~/.bash_logout : Unknown ssh-agent, none killed.

    // George

    -- 
    George Georgalis, Architect and administrator, Linux services. IXOYE
    http://www.galis.org/george cell:646-331-2027 mailto:george@galis.org
    Key fingerprint = 5415 2738 61CF 6AE1 E9A7  9EF0 0186 503B 9831 1631
    

  • Next message: Bob Rasmussen: "Re: HP-UX: ssh connections ignore CTRL+C interrupts"