ssh-agent
natively runs at startup on OpenBSD when using xenodm
, otherwise
it needs to be manually initialised. This is quick and easy but somewhat
abstruse.
Do not do the seemingly obvious and simply run ssh-agent
like so:
$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-MUxDCsIBiG5G/agent.38206; export SSH_AUTH_SOCK; SSH_AGENT_PID=65950; export SSH_AGENT_PID; echo Agent pid 65950;
Despite what the output implies, ssh-agent
has only printed the shell script
needed to initialise the daemon–it has not actually set the variables.
Instead, the output should be evaluated, which will set both the
SSH_AUTH_SOCK
and SSH_AGENT_PID
variables that allow ssh-add
to
communicate with the authentication agent:
$ eval `ssh-agent` Agent pid 56496
With the variable set, keys can be added to the agent:
$ ssh-add Enter passphrase for /home/alan/.ssh/id_ed25519: Identity added: /home/alan/.ssh/id_ed25519 (turing@machine.ai)
To ensure agent processes are not kept running indefinitely, add the following
to $HOME/.profile
:
trap 'test -n "$SSH_AUTH_SOCK" && ssh-add -D && ssh-agent -k; exit 0' 0
This will remove any keys and terminate the agent at logout:
$ exit All identities removed. unset SSH_AUTH_SOCK; unset SSH_AGENT_PID; echo Agent pid 56496 killed; Connection to turing.machine.ai closed.
Alternatively, to automatically initialise ssh-agent
at startup, add the
following to $HOME/.profile
(h/t John Karabaic):
export SSH_AUTH_SOCK="${HOME}/.ssh/ssh_auth_sock" sshkill() { if [ "${SSH_AGENT_PID}" -gt 0 ] && [ -S "${SSH_AUTH_SOCK}" ]; then ssh-add -D ssh-agent -k rm -rf "${SSH_AUTH_SOCK}" fi } if [ ! -S "${SSH_AUTH_SOCK}" ]; then eval $(ssh-agent -a "${SSH_AUTH_SOCK}") fi ssh-add -l > /dev/null || ssh-add trap sshkill EXIT
At login, ssh-agent
will prompt for any passphrase(s) securing keys stored in
$HOME/.ssh
:
Last login: Sat Jul 27 13:45:55 2019 from 223.33.44.44 OpenBSD 6.5 (GENERIC) #0: Wed Apr 24 22:45:52 CEST 2019 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. Agent pid 53402 Enter passphrase for /home/alan/.ssh/id_ed25519: Identity added: /home/alan/.ssh/id_ed25519 (turing@machine.ai) $
Exporting SSH_AUTH_SOCK
as $HOME/.ssh/ssh_auth_sock
and testing for its
presence before starting another ssh-agent
process, avoids having multiple
instances running. This is a common problem in various implementations of this
script. Like the first trap
, the sshkill()
function will kill the agent and
remove stored keys, but will also delete the socket file at logout.