Re: Defering passphrase entry with ssh-add




Perhaps there's limitation is in the way that ssh communicates with the agent.

Chris
I suspect this is true, it checks for valid credentials in the agent but continues with other Preferred Authentication mechanisms if not found (ie password prompt). I suspect it is not in the habit of calling the agent to add keys, only to check if it currently has keys. There are several drawbacks to ssh adding all keys it found every time you tried an ssh session:

1. You could have unprotected keys being cached, a potential security threat, especially if someone else has root access to that machine, they now have access to all your other machines too (and your own machines outside your company if you use the same key) or you'd be prompted he Perhaps ssh itself needs to be adjusted to do this,

2. You could be prompted for a key passphrase, enter it, the key may not be valid for that remote machine and you'd get 2 password prompts for 1 connection, which is wasteful and annoying.

3. You could dismiss the passphrase prompt, causing the key loading to fail and therefore be bothered by this thing retrying every single time you open an ssh connection, which for some of us is countless times a day...

The only way to prevent these conditions would be to decide whether ssh tries to load key behaviours, and this would require a switch of some kind, but I don't remember seeing such a switch anywhere.

So for now, I think the bash solution is the best one. Until the ssh guys write this feature in, if it is not already in the package somewhere...

-h

Hari Sekhon



Relevant Pages

  • RE: SHADOW - ssh autologon problem
    ... SHADOW.conf does a `which ssh` to determine which binary to run. ... I'm having a bit of a problem with a SHADOW installation that's been ... in, without the password prompt. ...
    (Focus-IDS)
  • Re: Can ssh add keys to ssh-agent?
    ... pointing to the same agent. ... If ssh-agent isn't already running at the time your ssh command is ... the presence or absence of an agent running under your UID using some ...
    (SSH)
  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... if you ssh to the untrusted box, have your .ssh/identity there (no good ... > You misunderstand what agent forwarding is. ... Agent forwarding means that remote requests ...
    (FreeBSD-Security)
  • Re: SSH login automation, get stuck at the last step.
    ... will get stuck running the batch file. ... and then the prompt. ... When I execute my script on the top, ... Does anybody know about using Expect to do ssh login and then run any ...
    (comp.lang.tcl)
  • Re: ssh tunnel
    ... (It doesn't seem to be very easy to find its pid to kill it ... I think you're not realising what the -f argument to ssh does. ... prompt the user has been dealt with. ... Perl can put processes in the background just fine, ...
    (comp.lang.perl.misc)