[openssh-unix-dev] Re: openssh-agent polling
Wout Mertens
wmertens at cisco.com
Tue Sep 18 23:59:47 EST 2007
On Sep 17, 2007, at 3:13 AM, Jefferson Ogata wrote:
> There are ways of mitigating this--check ownership of /tmp/ssh-
> ZZZZZZZZ
> directory as well (should be root), but overall I agree with you that
> the explicit location in the user's home is superior. I actually have
> always wondered why the agent sockets have been put under /tmp and
> not ~
> or ~/.ssh.
If you have NFS-mounted homedirs, a socket can only have a process
connected to it on one single host. At least on Solaris... There's
also a bug on Mac OS 10.4 that won't let you connect to an unused
socket that was in use when your system crashed. I ran into both
issues trying just what you describe ;-)
Hmm, the socket name could be randomized and amended with the
hostname to mitigate these problems. This would also give you an
insight in the hosts where you have agents running. Interesting...
so that gives us:
=============================================
# Only create a new agent if not logging in remotely or sudoing
if [ -z "$SSH_AUTH_SOCK$SUDO_USER$SSH_CLIENT" -a -w ~/.ssh -a -O
~/.ssh ]; then
export SSH_AUTH_SOCK
for i in ~/.ssh/socket-`hostname`_*; do
if [ -S "$i" -a -O "$i" ]; then
SSH_AUTH_SOCK="$i" ssh-add -l >/dev/null 2>&1
if [ $? -le 1 ]; then
SSH_AUTH_SOCK="$i"
break
fi
# Clean up socket?
fi
done
if [ -z "$SSH_AUTH_SOCK" ]; then
SSH_AUTH_SOCK=~/.ssh/socket-`hostname`_$RANDOM$$
eval `ssh-agent -a "$SSH_AUTH_SOCK" -s`
fi
fi
=============================================
Note that I add $RANDOM to the name - plain old sh doesn't have that,
so I add $$ as well. The concatenation of environment variables is an
AND function that doesn't take as much space ;-)
Unfortunately this approach doesn't work on OS X - the hostname
changes depending on what the DNS returns for the current IP address
when using DHCP.
Cheers,
Wout.
More information about the openssh-unix-dev
mailing list