On my FC7, it appears that KDE creates an ssh-agent when it starts. Is this a surprise? What is it for? My FC4 did not do that.
Thanks, Mike.
Mike -- EMAIL IGNORED wrote:
On my FC7, it appears that KDE creates an ssh-agent when it starts.
It's not specific to KDE. It's done as part of the general X startup scripts.
Is this a surprise?
It was a pleasant one, for whatever version it was finally added to (it's been a while, and I'd been adding it manually for a long while before that).
What is it for?
It manages ssh keys. If you use ssh to login to various boxes it is very convenient to use key based authentication instead of using passwords. Using ssh-agent you can add your key to the agent and only enter the key's passphrase once for your entire X session. Then you can ssh into other boxes without any prompting -- securely.
On Wed, 29 Aug 2007 17:00:00 -0400, Todd Zullinger wrote:
Mike -- EMAIL IGNORED wrote:
On my FC7, it appears that KDE creates an ssh-agent when it starts.
It's not specific to KDE. It's done as part of the general X startup scripts.
Is this a surprise?
It was a pleasant one, for whatever version it was finally added to (it's been a while, and I'd been adding it manually for a long while before that).
What is it for?
It manages ssh keys. If you use ssh to login to various boxes it is very convenient to use key based authentication instead of using passwords. Using ssh-agent you can add your key to the agent and only enter the key's passphrase once for your entire X session. Then you can ssh into other boxes without any prompting -- securely.
I have been using ssh-agents for a while and I have good scripts and procedures to manage them. Is there a way I can disable the provision of this automatically provided agent? It gets in the way, and I frequently have to manually delete it.
Mike.
Mike -- EMAIL IGNORED wrote:
I have been using ssh-agents for a while and I have good scripts and procedures to manage them.
You use more than one at a time then?
Is there a way I can disable the provision of this automatically provided agent? It gets in the way, and I frequently have to manually delete it.
It's started via some code in /etc/X11/xinit/xinitrc-common:
# Prefix launch of session with ssh-agent if available and not already running. SSH_AGENT= if [ -x /usr/bin/ssh-agent -a -z "$SSH_AGENT_PID" ]; then if [ "x$TMPDIR" != "x" ]; then SSH_AGENT="/usr/bin/ssh-agent /bin/env TMPDIR=$TMPDIR" else SSH_AGENT="/usr/bin/ssh-agent" fi fi
So if you've already started your ssh-agent, it shouldn't be started again. If you don't want it to start because you plan to start it up later, perhaps you could set the SSH_AGENT_PID variable?
You can always edit the xinitrc-common script directly, but then you have to remember to redo your changes after an update (that script isn't marked as a %config script in the rpm).
On Wed, 29 Aug 2007 18:13:08 -0400, Todd Zullinger wrote:
Mike -- EMAIL IGNORED wrote:
I have been using ssh-agents for a while and I have good scripts and procedures to manage them.
You use more than one at a time then?
Is there a way I can disable the provision of this automatically provided agent? It gets in the way, and I frequently have to manually delete it.
It's started via some code in /etc/X11/xinit/xinitrc-common:
# Prefix launch of session with ssh-agent if available and not already running. SSH_AGENT= if [ -x /usr/bin/ssh-agent -a -z "$SSH_AGENT_PID" ]; then if [ "x$TMPDIR" != "x" ]; then SSH_AGENT="/usr/bin/ssh-agent /bin/env TMPDIR=$TMPDIR" else SSH_AGENT="/usr/bin/ssh-agent" fi fi
So if you've already started your ssh-agent, it shouldn't be started again. If you don't want it to start because you plan to start it up later, perhaps you could set the SSH_AGENT_PID variable?
You can always edit the xinitrc-common script directly, but then you have to remember to redo your changes after an update (that script isn't marked as a %config script in the rpm).
[...]
For now, I commented out that part of the script. I'm sure I will be reminded if I forget about it after an update. Considering your suggestion that I set the SSH_AGENT_PID variable, when does the xinitrc-common script run? Before or after my .bashrc? After some other standard script you might suggest? Thanks again for your help.
Mike.
On Wed, 29 Aug 2007 23:52:45 +0000, Mike -- EMAIL IGNORED wrote:
On Wed, 29 Aug 2007 18:13:08 -0400, Todd Zullinger wrote:
Mike -- EMAIL IGNORED wrote:
I have been using ssh-agents for a while and I have good scripts and procedures to manage them.
You use more than one at a time then?
Is there a way I can disable the provision of this automatically provided agent? It gets in the way, and I frequently have to manually delete it.
It's started via some code in /etc/X11/xinit/xinitrc-common:
# Prefix launch of session with ssh-agent if available and not already running. SSH_AGENT= if [ -x /usr/bin/ssh-agent -a -z "$SSH_AGENT_PID" ]; then if [ "x$TMPDIR" != "x" ]; then SSH_AGENT="/usr/bin/ssh-agent /bin/env TMPDIR=$TMPDIR" else SSH_AGENT="/usr/bin/ssh-agent" fi fi
So if you've already started your ssh-agent, it shouldn't be started again. If you don't want it to start because you plan to start it up later, perhaps you could set the SSH_AGENT_PID variable?
You can always edit the xinitrc-common script directly, but then you have to remember to redo your changes after an update (that script isn't marked as a %config script in the rpm).
[...]
For now, I commented out that part of the script. I'm sure I will be reminded if I forget about it after an update. Considering your suggestion that I set the SSH_AGENT_PID variable, when does the xinitrc-common script run? Before or after my .bashrc? After some other standard script you might suggest? Thanks again for your help.
Mike.
Noting your question I overlooked, I use one agent, but with several keys
Mike.
Mike -- EMAIL IGNORED wrote:
For now, I commented out that part of the script. I'm sure I will be reminded if I forget about it after an update.
Yep, after you scratch your head for half an hour wondering why things have broken. :)
Considering your suggestion that I set the SSH_AGENT_PID variable, when does the xinitrc-common script run? Before or after my .bashrc? After some other standard script you might suggest? Thanks again for your help.
I think it runs after your bash profile is loaded, but I'd have to test that to confirm it. Try adding some variable to ~/.bash_profile and then echo/test it from the xinitrc-common script.
Noting your question I overlooked, I use one agent, but with several keys
What it is that breaks by having ssh agent started automatically?
On Thu, 30 Aug 2007 16:46:28 -0400, Todd Zullinger wrote:
[...]
Yep, after you scratch your head for half an hour wondering why things have broken. :)
Well, then, what might be broken? Id the agent provided for something other than my "convenience"?
[...]
What it is that breaks by having ssh agent started automatically?
My script checks for a preexisting agent, and if it finds one, it assumes it is one I created and tries to add a key to it. However, if the system created an agent, other things I put in place when I create the agent are not there, and I get a failure report.
I am reminded of the air conditioning in our family cars. I have a 1999 Camry. It has an excellent AC system. When I want more wind, I turn the fan-speed knob. Now my wife has a 2003 Camry. When it decides I should have more wind, it turns up the fan... I dread the day I will have to shop for a new car. If I wanted a system to transparently decide things like "I should have an ssh-agent", I would use Microsoft (may we be protected from the evil eye). ;)
Mike.
Mike -- EMAIL IGNORED wrote:
On Thu, 30 Aug 2007 16:46:28 -0400, Todd Zullinger wrote:
[...]
Yep, after you scratch your head for half an hour wondering why things have broken. :)
Well, then, what might be broken? Id the agent provided for something other than my "convenience"?
I just meant that if you tweak the script and then it gets updated via yum or whatever, you may end up scratching your head for a bit before realize that the tweak you made several months ago got overwritten. At least, that's what happens to me. :)
What it is that breaks by having ssh agent started automatically?
My script checks for a preexisting agent, and if it finds one, it assumes it is one I created and tries to add a key to it. However, if the system created an agent, other things I put in place when I create the agent are not there, and I get a failure report.
Okay. So obviously the best thing to work with your scripts currently will be if SSH_AGENT_PID is set so that when the xinitrc-common script checks for it, it's already set. I haven't made time to log out and test that yet. Have you tried it to see if that will work?
Also, might it not be more robust (and better in the long term) if your script checked for the things you put in place when yo start an ssh-agent? That way it wouldn't matter whether the agent was started by xinitrc-common or you.
At what point do you start your agent? If it's after the xinit scripts would be starting it, then doesn't that leave you unable to use the agent conveniently from some processes started in your X session?
I am reminded of the air conditioning in our family cars. I have a 1999 Camry. It has an excellent AC system. When I want more wind, I turn the fan-speed knob. Now my wife has a 2003 Camry. When it decides I should have more wind, it turns up the fan... I dread the day I will have to shop for a new car. If I wanted a system to transparently decide things like "I should have an ssh-agent", I would use Microsoft (may we be protected from the evil eye). ;)
I understand that concern. There's also the view that it's nice to have some common things handled so that every user doesn't need to reinvent the wheel. I used to always patch the x startup scripts precisely to add ssh-agent, so I was happy when that change got added.
Unless it turns out that you can't set your own SSH_AGENT_PID variable before the xinitrc-common script runs, you should be able to easily work with the current startup scripts to not start an agent for you, if you prefer not to. And if not, then you can almost as easily modify the xinitrc-common script to not start an agent.
If the latter case is true, then it might be worth submitting a patch to make the xinitrc-common script check for something user controlled (file, variable, etc.) which would allow you to tell it not to start an agent for you.
Mike -- EMAIL IGNORED wrote:
On Thu, 30 Aug 2007 16:46:28 -0400, Todd Zullinger wrote:
[...]
Yep, after you scratch your head for half an hour wondering why things have broken. :)
Well, then, what might be broken? Id the agent provided for something other than my "convenience"?
I just meant that if you tweak the script and then it gets updated via yum or whatever, you may end up scratching your head for a bit before realize that the tweak you made several months ago got overwritten. At least, that's what happens to me. :)
Yes, I see your point -- another nuisance.
What it is that breaks by having ssh agent started automatically?
My script checks for a preexisting agent, and if it finds one, it assumes it is one I created and tries to add a key to it. However, if the system created an agent, other things I put in place when I create the agent are not there, and I get a failure report.
Okay. So obviously the best thing to work with your scripts currently will be if SSH_AGENT_PID is set so that when the xinitrc-common script checks for it, it's already set. I haven't made time to log out and test that yet. Have you tried it to see if that will work?
Yes, I could preset SSH_AGENT_PID -- as long as someone does not change the script.
Also, might it not be more robust (and better in the long term) if your script checked for the things you put in place when yo start an ssh-agent? That way it wouldn't matter whether the agent was started by xinitrc-common or you.
Did they use my preferred options in creating the agent?
At what point do you start your agent? If it's after the xinit scripts would be starting it, then doesn't that leave you unable to use the agent conveniently from some processes started in your X session?
I start the agent by hand execution of the script only when I intend to use it. The script reads encrypted keys from removable media, which is usually not present.
I am reminded of the air conditioning in our family cars. I have a 1999 Camry. It has an excellent AC system. When I want more wind, I turn the fan-speed knob. Now my wife has a 2003 Camry. When it decides I should have more wind, it turns up the fan... I dread the day I will have to shop for a new car. If I wanted a system to transparently decide things like "I should have an ssh-agent", I would use Microsoft (may we be protected from the evil eye). ;)
I understand that concern. There's also the view that it's nice to have some common things handled so that every user doesn't need to reinvent the wheel. I used to always patch the x startup scripts precisely to add ssh-agent, so I was happy when that change got added.
It is only nice if it is easily visible and controllable. As can be seen above, my use of agents is different that yours.
Unless it turns out that you can't set your own SSH_AGENT_PID variable before the xinitrc-common script runs, you should be able to easily work with the current startup scripts to not start an agent for you, if you prefer not to. And if not, then you can almost as easily modify the xinitrc-common script to not start an agent.
This last suggestion remains my favorite.
If the latter case is true, then it might be worth submitting a patch to make the xinitrc-common script check for something user controlled (file, variable, etc.) which would allow you to tell it not to start an agent for you.
[...]
Yes. My suggestion is that by default, it be disabled. It might also be added to the install dialog (hopefully in terms that most reasonably well educated users could understand without web-search, which presently is the case for only a minority of the options).
To whom do I present my suggestion, or have I just done it? :)
Thanks again, Mike.
Mike -- EMAIL IGNORED wrote:
Okay. So obviously the best thing to work with your scripts currently will be if SSH_AGENT_PID is set so that when the xinitrc-common script checks for it, it's already set. I haven't made time to log out and test that yet. Have you tried it to see if that will work?
Yes, I could preset SSH_AGENT_PID -- as long as someone does not change the script.
I don't think you need to worry too much about that test going away. It's definitely important for the xinit scripts to test for the existence of an already running ssh-agent before starting one up.
Also, might it not be more robust (and better in the long term) if your script checked for the things you put in place when yo start an ssh-agent? That way it wouldn't matter whether the agent was started by xinitrc-common or you.
Did they use my preferred options in creating the agent?
What options are you passing to ssh-agent? The options it takes are pretty sparse.
I start the agent by hand execution of the script only when I intend to use it. The script reads encrypted keys from removable media, which is usually not present.
You can have the agent running without adding keys to it right away. So the keys need not be present when you start it. You can also add and remove keys at will. So if you wanted, your script could add the keys to the agent whenever you wanted to use them, and remove them when you were done (or after some timeout, using the -t option to ssh-add).
It is only nice if it is easily visible and controllable. As can be seen above, my use of agents is different that yours.
I'm still not sure that there's a problem with how the agent is started, even for your use. Perhaps I'm just not understanding how you're using it. With the agent started, you still have full control of what and when keys are loaded.
Yes. My suggestion is that by default, it be disabled. It might also be added to the install dialog (hopefully in terms that most reasonably well educated users could understand without web-search, which presently is the case for only a minority of the options).
I don't see the default being disabled. It's much more common and generally useful to have it started automatically. If it's made optional, I'd prefer the default to be on. But that's just my opinion.
To whom do I present my suggestion, or have I just done it? :)
Nah, I haven't wormed my way into the project that far. :)
To make a request for enhancement, you'd use bugzilla. There's a page on the wiki which (hopefully) includes all the steps needed.
http://fedoraproject.org/wiki/BugsAndFeatureRequests
Before filing such a request, be sure that what you want really can't be done with the existing setup. Also, if you really want to increase the likelihood of something being picked up, propose a patch to do what you want or a nice outline of how it can actually be done.
I'm not sure it's needed, but one way I could see something like this being generally useful would be to add a check to the xinitrc-common script to source the files in a dir (first in $HOME and then in /etc) to read settings from. That way you could override things like SSH_AGENT to prevent it from being started.
Oh, and I just realized that even if you can't set SSH_AGENT_PID from your bash startup before the xinitrc-common script runs (let me know if you get a chance to try that, BTW), you could put a file in /etc/X11/xinit/xinitrc.d/ which would set it. Files in that dir are sourced just before the ssh-agent code.
-
Michael D. Berger -
Todd Zullinger