[openssh-unix-dev] Re: openssh-agent polling

Wout Mertens wmertens at cisco.com
Tue Sep 18 23:59:47 EST 2007


On Sep 17, 2007, at 3:13 AM, Jefferson Ogata wrote:

> There are ways of mitigating this--check ownership of /tmp/ssh- 
> ZZZZZZZZ
> directory as well (should be root), but overall I agree with you that
> the explicit location in the user's home is superior. I actually have
> always wondered why the agent sockets have been put under /tmp and  
> not ~
> or ~/.ssh.

If you have NFS-mounted homedirs, a socket can only have a process  
connected to it on one single host. At least on Solaris... There's  
also a bug on Mac OS 10.4 that won't let you connect to an unused  
socket that was in use when your system crashed. I ran into both  
issues trying just what you describe ;-)

Hmm, the socket name could be randomized and amended with the  
hostname to mitigate these problems. This would also give you an  
insight in the hosts where you have agents running. Interesting...

so that gives us:
=============================================
# Only create a new agent if not logging in remotely or sudoing
if [ -z "$SSH_AUTH_SOCK$SUDO_USER$SSH_CLIENT" -a -w ~/.ssh -a -O  
~/.ssh ]; then
         export SSH_AUTH_SOCK
         for i in ~/.ssh/socket-`hostname`_*; do
                 if [ -S "$i" -a -O "$i" ]; then
                         SSH_AUTH_SOCK="$i" ssh-add -l >/dev/null 2>&1
                         if [ $? -le 1 ]; then
                                 SSH_AUTH_SOCK="$i"
                                 break
                         fi
                         # Clean up socket?
                 fi
         done
         if [ -z "$SSH_AUTH_SOCK" ]; then
                 SSH_AUTH_SOCK=~/.ssh/socket-`hostname`_$RANDOM$$
                 eval `ssh-agent -a "$SSH_AUTH_SOCK" -s`
         fi
fi
=============================================
Note that I add $RANDOM to the name - plain old sh doesn't have that,  
so I add $$ as well. The concatenation of environment variables is an  
AND function that doesn't take as much space ;-)

Unfortunately this approach doesn't work on OS X - the hostname  
changes depending on what the DNS returns for the current IP address  
when using DHCP.

Cheers,

Wout.


More information about the openssh-unix-dev mailing list