openssh-agent polling
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Mon Sep 17 08:52:13 EST 2007
On 09/16/07 22:08, Bob Proulx wrote:
> Damien Miller wrote:
>> You can avoid the polling now by not executing a subcommand when starting
>> ssh-agent. I.e. run:
>> eval `ssh-agent`
>> ...
>> This will leave an ssh-agent around unless you have a symmetric
>> "ssh-agent -k" in your logout scripts.
>
> I have often seen users who mess this up and will leave literally
> hundreds of ssh-agents running on machines. One large advantage of
> 'ssh-agent command' is that the ssh-agent will exit when the command
> exits. But users who do "eval `ssh-agent`" rarely clean up after
> themselves.
All that is needed is for the users' shells to discover their running
agents when they log in, so they never need to run more than one agent.
You can add a few lines to the common profile (YMMV):
if [ -n "$SSH_AUTH_SOCK" ]
then
if [ -S "$SSH_AUTH_SOCK" -a -O "$SSH_AUTH_SOCK" ]
then
SSH_AUTH_SOCK="$SSH_AUTH_SOCK" ssh-add -l >/dev/null 2>&1
if [ $? -ne 2 ]; then
export SSH_AUTH_SOCK
else
unset SSH_AUTH_SOCK
fi
else
unset SSH_AUTH_SOCK
fi
fi
if [ -z "$SSH_AUTH_SOCK" ]
then
for x in /tmp/ssh*/agent*
do
if [ -S "$x" -a -O "$x" ]
then
SSH_AUTH_SOCK="$x" ssh-add -l >/dev/null 2>&1
if [ $? -ne 2 ]; then
SSH_AUTH_SOCK="$x"
export SSH_AUTH_SOCK
break
fi
fi
done
fi
After that, they only need to run ssh-agent once and new shells will
find the running instance regardless of ancestry. (If they do run
ssh-agent with a command, however, the discovered ssh-agent may disappear.)
You can also append:
if [ -z "$SSH_AUTH_SOCK" ]
then
eval `ssh-agent`
fi
So they never even have to run ssh-agent the first time.
(This is of course assuming you don't see the use of ssh-agent as
fundamentally dangerous, as some of us do.)
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the openssh-unix-dev
mailing list