On Fri, May 27, 2016 at 06:20:44PM -0400, Nico Kadel-Garcia wrote:
On Fri, May 27, 2016 at 9:13 AM, Zbigniew Jędrzejewski-Szmek
<zbyszek(a)in.waw.pl> wrote:
> On Fri, May 27, 2016 at 08:51:23AM -0400, Nico Kadel-Garcia wrote:
>> This breaks the storage of ssh-agent credentials for te one-time
>> enabling of SSH credentials for access on running hosts.
>
> You mean you start ssh-agent somewhere during the first login and then
> access it from any process from further sessions? You can get a setup
> to work like this by running the agent in a service, like any long
> running service.
It's a historically useful way to require an authorized user to
actually log into the system and unlock the key. It's similar to the
requirement of secure Kerberos servers and Java keystore systems to
have a user attend the startup of the daemons, in order to unlock the
protected credentials on request and prevent unauthorized use of the
service from a stolen backup or disk image.
Sure, but there's more than one way to do this. Unless you provide
more details, there is now way to guess what is broken for you.
Based on your general description, there should be no reason for this
to not work.
Zbyszek