How to re-lock ssh private key?
Mail Lists
lists at sapience.com
Wed Mar 4 02:09:22 UTC 2009
On 03/03/2009 02:06 AM, Robert Nichols wrote:
> After I've used ssh on a connection with RSA authorization and given
> my keyring's passphrase to gnome-ssh-askpass, that keyring is now
Here's what I do. The gnome pasphrase gui I find very unfriendly as it
steals and locks focus so you cannot do anything else. So I prefer the
standard tools.
Goal: make sure we are using the real ssh-agent but do not rely on
gnome/X etc to set this up for us. By all means tell gnome (as someone
suggested) to not act as ssh-agent.
I use a file to communicate the ssh-agent socket info for later use
and thus can be run anytime - we do not need a parent X or gnome process
to start things off.
(1) Create a shell script (I put my version below) which starts
ssh-agent and keeps the socket info in a convenient place for any shell
to get later
(2) I put it in
~/etc/profile.d/ssh-agent-start.sh
(3) Make sure it is executable
% chmod +x ~/etc/profile.d/ssh-agent-start.sh
(4) Append .bash_profile with this snippet:
# End of .bash_profile
# Run (source) any executable in our ~/etc/profile.d
# which ends in .sh
for i in ${HOME}/etc/profile.d/*.sh ; do
if [ -r "$i" -a -x "$i" ]; then
if [ "$PS1" ]; then
. $i
else
. $i &>/dev/null
fi
fi
done
(5) Append this to end of .bashrc
# End of .bashrc
for i in ${HOME}/etc/profile.d/*.sh ; do
if [ -r "$i" -a -x "$i" ]; then
if [ "$PS1" ]; then
. $i
else
. $i &>/dev/null
fi
fi
done
(6) You can then just use in a terminal
You do not need to logout but please start a new shell
- fresh terminal will do just fine.
ssh-add or
ssh-add -t bla bla
(7) For convenience I put a launcher button on the taskbar so i can
click and get a GUI prompt for the passphrase. Some prefer to auto run
this on login - I prefer not to.
This launcher simply runs the following 2 commands (which you can
wrap into a 2 line script)
. ${HOME}/etc/profile.d/ssh-agent-start.sh
/usr/bin/ssh-add
This works for me.
gene/
This shud be an attachment but attachments are frowned on in mailing
lists. Sorry.
========== ~/etc/profile.d/ssh-agent-start.sh ===============
#!/bin/bash
# Please put me in ~/etc/profile.d
# I store ssh-agent env info in ~/.ssh-agent-info so later shells
# do not need to be child process.
# gene - 2009
agent="/usr/bin/ssh-agent"
info=${HOME}/.ssh-agent-info
#askpass="/usr/bin/ksshaskpass"
askpass="/usr/libexec/openssh/ssh-askpass"
start_agent () {
eval "$agent | egrep -v 'echo Agent pid' > $info"
. $info
SSH_ASKPASS=$askpass
echo "SSH_ASKPASS=$askpass ; export SSH_ASKPASS;" >> $info
}
if [ -f $info ] ; then
. $info > /dev/null 2>&1
fi
if [ -x $agent ] ; then
if [ -z "${SSH_AUTH_SOCK}" ] ; then
## NOTE: a root login will kill *all* users' ssh-agents
#echo "no SSH_AUTH_SOCK - starting"
killall ssh-agent
start_agent
else
# Gnome sets SSH_AUTH_SOCK but unlike ssh-agent - it does
# not set SSH_AGENT_PID in of ssh-agent - so we use this
# Should probably check if I am the owner of the process too ...
if [ -z "$SSH_AGENT_PID" ] ; then
#echo "no SSH_AGENT_PID - starting"
start_agent
else
pid=${SSH_AGENT_PID}
runningpid=$(ps -p $pid -o pid= | sed -e 's# ##')
if [ x"$runningpid" = "x" -o x"$pid" != x"$runningpid" ]
then
# not running
#echo "no running agent on pid $pid"
start_agent
else
if [ -f $info ] ; then
. $info
else
#echo "Missing $info .. starting agent"
start_agent
fi
fi
fi
fi
fi
# =================== End of ssh-agent-start.sh =================
More information about the users
mailing list