SSH and agent article (was: scp in batch mode)
Bob Proulx
bob at proulx.com
Sat Feb 12 05:12:11 EST 2005
Daniel Kahn Gillmor wrote:
> SSH identity/public key. Brian Hatch's articles [1] [2] about doing
> this are a good place to start reading.
> [2] http://www.securityfocus.com/infocus/1812
Brian's articles are generally good. However whenever I see the
following I always cringe. This from his article.
# Run it inside backticks, which will capture the output and
# pass it to 'eval' which will run it in your current shell.
$ eval `ssh-agent`
Agent pid 7943
People read those howtos and then do this in their .bashrc et al
scripts and then forget about them. I find these when a machine is
now out of process slots because of thousands of forgotten ssh-agents!
Of course he mentions in passing that you can kill off your agents.
But how many readers will see that and do it?
In hindsight I wish that ssh-agent disallowed that style and forced
users to use the subshell instead.
Man page:
If a commandline is given, this is executed as a subprocess of the agent.
When the command dies, so does the agent.
Example:
exec ssh-agent $SHELL
Or:
exec ssh-agent x-session-manager
Any of those invocations are so much better by being a lot tidier
about the processes. I would hazard a guess that most readers on this
list use one of the command-line forms and only rarely use the eval form.
Bob
More information about the openssh-unix-dev
mailing list