Re: Defering passphrase entry with ssh-add
- From: Hari Sekhon <hpsekhon@xxxxxxxxxxxxxx>
- Date: Wed, 21 Nov 2007 10:14:03 +0000
Perhaps there's limitation is in the way that ssh communicates with the agent.I suspect this is true, it checks for valid credentials in the agent but continues with other Preferred Authentication mechanisms if not found (ie password prompt). I suspect it is not in the habit of calling the agent to add keys, only to check if it currently has keys. There are several drawbacks to ssh adding all keys it found every time you tried an ssh session:
1. You could have unprotected keys being cached, a potential security threat, especially if someone else has root access to that machine, they now have access to all your other machines too (and your own machines outside your company if you use the same key) or you'd be prompted he Perhaps ssh itself needs to be adjusted to do this,
2. You could be prompted for a key passphrase, enter it, the key may not be valid for that remote machine and you'd get 2 password prompts for 1 connection, which is wasteful and annoying.
3. You could dismiss the passphrase prompt, causing the key loading to fail and therefore be bothered by this thing retrying every single time you open an ssh connection, which for some of us is countless times a day...
The only way to prevent these conditions would be to decide whether ssh tries to load key behaviours, and this would require a switch of some kind, but I don't remember seeing such a switch anywhere.
So for now, I think the bash solution is the best one. Until the ssh guys write this feature in, if it is not already in the package somewhere...