[RFC] Initialisation of ssh-agent

[HdV@DTO.TUDelft.NL]

Hi,

Currently I am writing a piece on the why and how of setting up SSH2 for
public key authentication. For now it is in Dutch, but an English
version will follow later on. In this document I want to show a couple
of examples of starting ssh-agent from ~/.xsession, ~/.profile or
~/.login.

This is what I have so far, but I feel this is rather poor. I'd like to
ask the readers of this list for comments on how to make these examples
better. All help would be seriously appreciated.

Example for inclusion in ~/.profile:

#If there is an active ssh-agent kill it first (to remove stale onces)
if [ "$SSH_AGENT_PID" != "" ]; then
ssh-add -D
eval `ssh-agent -k`
fi
eval `ssh-agent`
ssh-add

Example for inclusion in ~/.login:

#If there is an active ssh-agent kill it first (to remove stale onces)
if ( "$SSH_AGENT_PID" != "" ) then
ssh-add -D
eval `ssh-agent -k`
endif
eval `ssh-agent`
ssh-add

Example for inclusion in ~/.xsession and ~/.xinitrc:

#Put this on a line where it is executed just before starting a
#Window Manager
exec ssh-agent sh -c 'ssh-add </dev/null'

I know about /etc/X11/Xsession.options and use-ssh-agent, but most of
the people that will be reading this are using Solaris, HP-UX and all
kinds of GNU/Linux distributions, so this must be as portable as
possible. Of course the above is for OpenSSH, but the same examples are
given further in the text adapted for use with SSH.com.

Thanks in advance for all comments.

Grx HdV




--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ryan Nowakowski]

On Wed, Jul 16, 2003 at 07:10:50PM +0200, [email]HdV@DTO.TUDelft.NL[/email] wrote:

> Hi,
>
> Currently I am writing a piece on the why and how of setting up SSH2 for
> public key authentication. For now it is in Dutch, but an English
> version will follow later on. In this document I want to show a couple
> of examples of starting ssh-agent from ~/.xsession, ~/.profile or
> ~/.login.

Take a look at keychain. It's the best way to start ssh-agent.

- Ryan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/FaIg6ZA8+1/wXqMRArxEAJ9uFMoAfGATy3ya0TAv/H4jQe3XBQCfUIm2
6stM2Wrp+cNm/XCU97MPbsc=
=Aesv
-----END PGP SIGNATURE-----

[HdV@DTO.TUDelft.NL]

On Wed, 16 Jul 2003, Ryan Nowakowski wrote:

> Take a look at keychain. It's the best way to start ssh-agent.

Thanks for the suggestion, but 'apt-cache show' tells me it is for
OpenSSH. Do you know if it will work with SSH.com and on other *nix
platforms besides Gnu/Linux?

Grx HdV




--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Vincent Lefevre]

On Wed, Jul 16, 2003 at 14:06:08 -0500, Ryan Nowakowski wrote:

> On Wed, Jul 16, 2003 at 07:10:50PM +0200, [email]HdV@DTO.TUDelft.NL[/email] wrote:

> > Currently I am writing a piece on the why and how of setting up SSH2 for
> > public key authentication. For now it is in Dutch, but an English
> > version will follow later on. In this document I want to show a couple
> > of examples of starting ssh-agent from ~/.xsession, ~/.profile or
> > ~/.login.

>
> Take a look at keychain. It's the best way to start ssh-agent.

According to the description, it prompts the user for passphrases
as soon as it runs, which may be annnoying when one wants to connect
to a machine, do a few things (without needing ssh) and disconnect.

I wrote some zsh scripts to start ssh-agent if one is not running,
and call ssh-add only when needed (ssh, slogin and scp are wrappers).
The ssh-agent is killed when it isn't needed any longer (but this
doesn't work very well with screen, perhaps unless one chooses to
make all shells login shells).

--
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/> - 100%
validated HTML - Acorn Risc PC, Yellow Pig 17, Championnat International des
Jeux Mathématiques et Logiques, TETRHEX, etc.
Work: CR INRIA - computer arithmetic / SPACES project at LORIA


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Jesse Meyer]

On Fri, 18 Jul 2003, Vincent Lefevre wrote:

> I wrote some zsh scripts to start ssh-agent if one is not running,
> and call ssh-add only when needed (ssh, slogin and scp are wrappers).
> The ssh-agent is killed when it isn't needed any longer (but this
> doesn't work very well with screen, perhaps unless one chooses to
> make all shells login shells).

I'm curious - mind showing us the scripts?

Thanks,

~ Jesse Meyer

--
icq: 34583382 / msn: [email]dasunt@hotmail.com[/email] / yim: tsunad

"We are what we pretend to be, so we must be careful about what we
pretend to be." - Kurt Vonnegut Jr : Mother Night

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE/GJz5iWRyGryG0v8RAlKzAJ9SFcqQua8Nlrxfbyuos63oJkwwYg CgvSav
Wro+eKUpHstpygggm6X1DeU=
=Ff9o
-----END PGP SIGNATURE-----

[Colin Watson]

On Sat, Jul 19, 2003 at 07:07:19PM +0200, [email]HdV@DTO.TUDelft.NL[/email] wrote:

> Finally there is the output of "ps ux". I use it to verify the PID of
> the ssh-agent process. For that I take the value found in the second
> column, but I am not sure if "ps ux" will give me that on all/most
> unices. Does anyone on the list know?

ps is probably the most inconsistent command in the entirety of Unix.
No, 'ps ux' won't work on Unix systems which take most of their heritage
from System V rather than BSD, and there is probably no one set of ps
arguments that will work everywhere.

Cheers,

--
Colin Watson [cjwatson@flatline.org.uk]


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[HdV@DTO.TUDelft.NL]

On Wed, 23 Jul 2003, Colin Watson wrote:

> ps is probably the most inconsistent command in the entirety of Unix.
> No, 'ps ux' won't work on Unix systems which take most of their heritage
> from System V rather than BSD, and there is probably no one set of ps
> arguments that will work everywhere.

Yeah, I was getting afraid of that after some testing. Would

pgrep -U $USER ssh-agent

be more portable? I know it works for GNU/Linux and Solaris, but I can't
test it on any of the other *nixes.

Thanks.

Grx HdV



--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ryan Nowakowski]

The way that is usually handled is when the process starts, you record
the pid in a file in /var/run or /tmp. Then you grab the pid from that
file when you need to check it.

- Ryan

On Wed, Jul 23, 2003 at 09:27:36AM +0100, Colin Watson wrote:

> On Sat, Jul 19, 2003 at 07:07:19PM +0200, [email]HdV@DTO.TUDelft.NL[/email] wrote:

> > Finally there is the output of "ps ux". I use it to verify the PID of
> > the ssh-agent process. For that I take the value found in the second
> > column, but I am not sure if "ps ux" will give me that on all/most
> > unices. Does anyone on the list know?

>
> ps is probably the most inconsistent command in the entirety of Unix.
> No, 'ps ux' won't work on Unix systems which take most of their heritage
> from System V rather than BSD, and there is probably no one set of ps
> arguments that will work everywhere.
>
> Cheers,
>
> --
> Colin Watson [cjwatson@flatline.org.uk]
>
>
> --
> To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
> with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/Hq4j6ZA8+1/wXqMRAljxAJ0V1sUMphspUOGwFEh0nPJMOvWwiwCfd4Je
zdC/hI8mCqFwr3yfML+eYAo=
=7AT/
-----END PGP SIGNATURE-----