Re: Defering passphrase entry with ssh-add



Hari Sekhon wrote:
I also use this a lot and would be interested in a solution to this.

To my knowledge it requires the password when invoked initially to decrypt the private key.

There seems to be every option except that one you've asked for. Alternatives could be to lock and unlock your agent to prevent unattended logins, but this is nearly as much hassle as not using the agent at all and manually entering the password to decrypt the private on every use...

Or to require a lifetime on the key loaded, but again, not 100% convenient.

If anyone knows an answer to this, I'd also like to change my agent behaviour to this... I suspect that the software does not support such a feature at this time...

As a workaround, you could function off all ssh calls to invoke the agent, check if it has your key and if not, then source it, asking you for the password one time, and then retaining it and using it for every future connection. Now I think about this, it's very easy to do in Bash....

-h

Hari Sekhon
I've done created a Bash solution for now,

alias ssh="ssh-add -l >/dev/null; if [ \$? = 1 ]; then ssh-add; fi; ssh"

hardly elegant, but it does the job. I'm not aware of any technical reason why ssh-add couldn't defer requesting a password until its required. If you use ssh without an agent, it only prompts for the passphrase once its established that it can use the key to authenticate itself. Looking at the relevent RFC this is by design, so that the client only incurs the overheads of authenticating with a key if it knows it can use it. Perhaps there's limitation is in the way that ssh communicates with the agent.

Chris



Relevant Pages

  • Re: Defering passphrase entry with ssh-add
    ... Alternatives could be to lock and unlock your agent to prevent unattended logins, but this is nearly as much hassle as not using the agent at all and manually entering the password to decrypt the private on every use... ... As a workaround, you could function off all ssh calls to invoke the agent, check if it has your key and if not, then source it, asking you for the password one time, and then retaining it and using it for every future connection. ...
    (SSH)
  • CA Unicenter Password Recovery Tool
    ... The Computer Associates' Unicenter Asset Managersoftware uses a stored ... secret in order to decrypt stored passwords. ... Agents do get data from the Sector, ...
    (Bugtraq)
  • Re: Accessing Computer
    ... All that agent does is cache your password so you do not ... format Putty uses to the OpenSSH format FreeBSD uses, and you need to be careful to make the authorized_keys file writable only by the account UID. ... achieves the same agent forwarding under OpenSSH. ... It stores a decrypted copy of your private key in memory. ...
    (freebsd-questions)
  • Re: key auth ok one way, not the other
    ... Thanks - I've made some headway after modifying permissions. ... The gotcha is that I can load the agent but trying to add a key ... If I su to root I can do an ssh-add and get the private key into ...
    (comp.security.ssh)
  • Re: BIG BIG PROBLEM OPENSSH PUBLIC KEY AUTH NOT WORKING
    ... agent, have you cached the private key? ... BTW password authentication is not insecure as long as you pick a good ...
    (comp.security.ssh)