[vox-tech] ssh-agent help

Ken Bloom vox-tech@lists.lugod.org
Thu, 23 Oct 2003 08:41:24 -0700


--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 23, 2003 at 07:05:44AM -0700, p@dirac.org wrote:
> trying to understand ssh-agent...
>=20
> my understanding is that for ssh-agent to be useful, the process needs
> to be an ancestor of all your login (vc) and non-login (xterm) shells.
=20
It doesn't need to be the ancestor of your shells - it needs to have=20
certain environment variables in the shells so that whenever you=20
randomly call ssh, ssh can use those environment variables to find out=20
how to talk to ssh-agent.

> where should it be run from?

As a result, a good place to start it from is .login (.profile for you=20
bash guys) and from .xsession, if that's not running .login or .profile=20
first (this assumes you use .xsession).

> login shells source /etc/profile, so when i log into a virtual console
> and type "startx", it should be an ancestor of all my xterms.
>=20
> but in my /etc/bash.bashrc, i source /etc/profile.  will that cause
> problems with ssh-agent running separately for each xterm i create?
>=20

Even as I described, there is still a problem with this, and that is=20
that every virtual console you log into (and I frequently log into three=20
or four at a time) will have its own copy of ssh-agent running. The=20
keychain package (apt-get install keychain) includes a utility that can=20
ensure that a user only has one ssh-agent running. Instead of running=20
ssh-agent in your .login, .profile, and .xsession, run the following two=20
lines (for tcsh) in those files.

keychain -q ${HOME}/.ssh/id_rsa ${HOME}/.ssh/id_dsa >& /dev/null
source $HOME/.keychain/*-csh

--=20
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 10/14/2003. If you use GPG, *please* see me about=20
signing the key. ***** My computer can't give you viruses by email. ***

--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/l/aklHapveKyytERAjpIAJ4xNXeTnGhG3J5k3pOPBOo7gJMDygCeNoSm
WxW7qc7y+evB1jBzqvEESGI=
=3PK6
-----END PGP SIGNATURE-----

--FCuugMFkClbJLl1L--