ssh-agent natively runs at startup on OpenBSD when using xenodm, otherwise
it needs to be manually initialised. This is quick and easy but somewhat
abstruse.
Do not do the seemingly obvious and simply run ssh-agent like so:
$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-MUxDCsIBiG5G/agent.38206; export SSH_AUTH_SOCK; SSH_AGENT_PID=65950; export SSH_AGENT_PID; echo Agent pid 65950;
Despite what the output implies, ssh-agent has only printed the shell script
needed to initialise the daemon–it has not actually set the variables.
Instead, the output should be evaluated, which will set both the
SSH_AUTH_SOCK and SSH_AGENT_PID variables that allow ssh-add to
communicate with the authentication agent:
$ eval `ssh-agent` Agent pid 56496
With the variable set, keys can be added to the agent:
$ ssh-add Enter passphrase for /home/alan/.ssh/id_ed25519: Identity added: /home/alan/.ssh/id_ed25519 (turing@machine.ai)
To ensure agent processes are not kept running indefinitely, add the following
to $HOME/.profile:
trap 'test -n "$SSH_AUTH_SOCK" && ssh-add -D && ssh-agent -k; exit 0' 0
This will remove any keys and terminate the agent at logout:
$ exit All identities removed. unset SSH_AUTH_SOCK; unset SSH_AGENT_PID; echo Agent pid 56496 killed; Connection to turing.machine.ai closed.
Alternatively, to automatically initialise ssh-agent at startup, add the
following to $HOME/.profile (h/t John Karabaic):
export SSH_AUTH_SOCK="${HOME}/.ssh/ssh_auth_sock"
sshkill()
{
if [ "${SSH_AGENT_PID}" -gt 0 ] && [ -S "${SSH_AUTH_SOCK}" ]; then
ssh-add -D
ssh-agent -k
rm -rf "${SSH_AUTH_SOCK}"
fi
}
if [ ! -S "${SSH_AUTH_SOCK}" ]; then
eval $(ssh-agent -a "${SSH_AUTH_SOCK}")
fi
ssh-add -l > /dev/null || ssh-add
trap sshkill EXIT
At login, ssh-agent will prompt for any passphrase(s) securing keys stored in
$HOME/.ssh:
Last login: Sat Jul 27 13:45:55 2019 from 223.33.44.44 OpenBSD 6.5 (GENERIC) #0: Wed Apr 24 22:45:52 CEST 2019 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. Agent pid 53402 Enter passphrase for /home/alan/.ssh/id_ed25519: Identity added: /home/alan/.ssh/id_ed25519 (turing@machine.ai) $
Exporting SSH_AUTH_SOCK as $HOME/.ssh/ssh_auth_sock and testing for its
presence before starting another ssh-agent process, avoids having multiple
instances running. This is a common problem in various implementations of this
script. Like the first trap, the sshkill() function will kill the agent and
remove stored keys, but will also delete the socket file at logout.