reference counting in ssh-agent?

Fri Jul 29 02:51:50 EST 2005

Circa 2005-07-27 dixit Rob:

: In a machine that I regularly use one console and remotely I have the line:
: 
: eval `ssh-agent`
: 
: In my .login, as per the ssh-agent(1) man page.
: 
: Problem: when I log out, the ssh-agent process persists which is the
: correct behavior in some cases, but not in others.  This means that
: periodically I have to kill off hundreds of ssh-agent processes as they
: are taking up a substantial amount of my (fairly old) machine's resources.
: 
: Question: is there a trivial way of fixing this problem?  I could do some
: shell scripting to kill ssh-agent in the right cases and not in others,
: but that seems kludgy, and I can't imagine that I'm the only one to have
: this problem.

If you want the agent to be ephemeral (i.e., to last only for your login
session), then you should kill the agent in your logout script
(~/.logout for csh, ~/.bash_logout for bash, a kludge involving 'trap
... 0' for pdksh).  I do this in a fashion similar to the following:

    ~/.bash_profile:

        if [ -f "${HOME}/.ssh-agent" ]; then
            SSH_AGENT=`cat "${HOME}/.ssh-agent"`
        fi
        SSH_AGENT="${SSH_AGENT:-/usr/bin/ssh-agent}"
        if [ -z "${SSH_AUTH_SOCK}" ] && \
           [ -f "${HOME}/.use-ssh-agent" ] && \
           [ -x "${SSH_AGENT}" ]
        then
            eval `${SSH_AGENT}`
        fi

    ~/.bash_logout:

        if [ -f "${HOME}/.ssh-agent" ]; then
            SSH_AGENT=`cat "${HOME}/.ssh-agent"`
        fi
        SSH_AGENT="${SSH_AGENT:-/usr/bin/ssh-agent}"
        if [ -n "${SSH_AGENT_PID}" ] && \
           [ -x "${SSH_AGENT}" ]
        then
            eval `${SSH_AGENT} -k`
        fi

It's a little complex, but basically:

    - ~/.ssh-agent optionally contains the path to the ssh-agent program.

    - ~/.use-ssh-agent, if present, says we want ssh-agent to run
      automatically in each login session.

    - ssh-agent is only run if it's not already running in a parent of
      the current session (we check the SSH_AUTH_SOCK environment
      variable for that).

    - if ssh-agent is disabled by removing execute permission, then we
      don't try to use it.

For csh, it would look a little different; i don't know csh very well,
so someone else would need to figure that out.

For ksh, the above should work virtually unchanged; the only difference
may be in how quotes are interpreted inside backquotes (`), and that's
not generally a problem unless you have, for example, a space character
in the path to your home directory.  To make pdksh run a script (such as
~/.ksh_logout) on logout, put the following in your ~/.profile:

    ksh_logout() {
        if [ -s "${HOME}/.ksh_logout" ]; then
            . "${HOME}/.ksh_logout"
        fi
    }
    case "$-" in
        *i*)
            # Interactive shell
            if [ -n "${KSH_VERSION}" ]; then
                trap ksh_logout 0
            fi
        ;;
    esac

Good luck.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 809F:09B9:9686:D035:4AB0::9455:124B:0A62:DD6A:76D6)
 .....................................................................
 :"The methods now being used to merchandise the political candidate :
 : as though he were a deodorant positively guarantee the electorate :
 : against ever hearing the truth about anything."   --Aldous Huxley :
 :...................................................................: