reference counting in ssh-agent?

Jim Knoble jmknoble at
Fri Jul 29 02:51:50 EST 2005

Circa 2005-07-27 dixit Rob:

: In a machine that I regularly use one console and remotely I have the line:
: eval `ssh-agent`
: In my .login, as per the ssh-agent(1) man page.
: Problem: when I log out, the ssh-agent process persists which is the
: correct behavior in some cases, but not in others.  This means that
: periodically I have to kill off hundreds of ssh-agent processes as they
: are taking up a substantial amount of my (fairly old) machine's resources.
: Question: is there a trivial way of fixing this problem?  I could do some
: shell scripting to kill ssh-agent in the right cases and not in others,
: but that seems kludgy, and I can't imagine that I'm the only one to have
: this problem.

If you want the agent to be ephemeral (i.e., to last only for your login
session), then you should kill the agent in your logout script
(~/.logout for csh, ~/.bash_logout for bash, a kludge involving 'trap
... 0' for pdksh).  I do this in a fashion similar to the following:


        if [ -f "${HOME}/.ssh-agent" ]; then
            SSH_AGENT=`cat "${HOME}/.ssh-agent"`
        if [ -z "${SSH_AUTH_SOCK}" ] && \
           [ -f "${HOME}/.use-ssh-agent" ] && \
           [ -x "${SSH_AGENT}" ]
            eval `${SSH_AGENT}`


        if [ -f "${HOME}/.ssh-agent" ]; then
            SSH_AGENT=`cat "${HOME}/.ssh-agent"`
        if [ -n "${SSH_AGENT_PID}" ] && \
           [ -x "${SSH_AGENT}" ]
            eval `${SSH_AGENT} -k`

It's a little complex, but basically:

    - ~/.ssh-agent optionally contains the path to the ssh-agent program.

    - ~/.use-ssh-agent, if present, says we want ssh-agent to run
      automatically in each login session.

    - ssh-agent is only run if it's not already running in a parent of
      the current session (we check the SSH_AUTH_SOCK environment
      variable for that).

    - if ssh-agent is disabled by removing execute permission, then we
      don't try to use it.

For csh, it would look a little different; i don't know csh very well,
so someone else would need to figure that out.

For ksh, the above should work virtually unchanged; the only difference
may be in how quotes are interpreted inside backquotes (`), and that's
not generally a problem unless you have, for example, a space character
in the path to your home directory.  To make pdksh run a script (such as
~/.ksh_logout) on logout, put the following in your ~/.profile:

    ksh_logout() {
        if [ -s "${HOME}/.ksh_logout" ]; then
            . "${HOME}/.ksh_logout"
    case "$-" in
            # Interactive shell
            if [ -n "${KSH_VERSION}" ]; then
                trap ksh_logout 0

Good luck.

jim knoble  |  jmknoble at  |
(GnuPG fingerprint: 809F:09B9:9686:D035:4AB0::9455:124B:0A62:DD6A:76D6)
 :"The methods now being used to merchandise the political candidate :
 : as though he were a deodorant positively guarantee the electorate :
 : against ever hearing the truth about anything."   --Aldous Huxley :

More information about the openssh-unix-dev mailing list