Repost: [patch] Automatically add keys to agent

Joachim Schipper joachim at joachimschipper.nl
Mon Jan 18 23:54:42 EST 2010 

On Sat, Jan 16, 2010 at 05:15:47PM -0500, Jameson Rollins wrote:
> On Sat, Jan 16, 2010 at 08:34:30PM +0100, Joachim Schipper wrote:
> > On Tue, Jan 12, 2010 at 01:24:34AM +0100, Joachim Schipper wrote:
> > > My keys are secured with a passphrase. That's good for security, but
> > > having to type the passphrase either at every login or at every
> > > invocation of ssh(1) is annoying.
> > 
> > > Hence, this patch. I'll just quote ssh_config(5):
> > > 
> >      AddKeyToAgent
> >        If this option is set to ``yes'' and ssh-agent(1) is running, any
> >        keys used will be added to the agent (with the default lifetime).
> >        Setting this to ``ask'' will cause ssh to require confirmation
> >        using the SSH_ASKPASS program before the key is added (see
> >        ssh-add(1) for details).  The argument must be ``yes'', ``ask'',
> >        or ``no''.  The default is ``no''.
> > 
> > I am a bit disappointed by the total lack of response - does nobody else
> > have this problem? I'm willing to do more work on it, if so desired, and
> > I wouldn't mind having to wait until OpenBSD 4.7 is tagged if everyone's
> > too busy right now.
> 
> I think probably everyone already has hooks or wrapper scripts they've
> put together to accomplish this.  For instance I have a proxycommand
> that does it for me.  That said, I think it's a pretty good idea.  I
> would rather use something like this than the hackish wrapper scripts
> I'm currently using.
> 
> That said, I wasn't a big fan of your dismissal of the ssh-add -c
> option.  I think that is a very important option that everyone should
> be using.  You should always want to be informed if anything is trying
> to use your key.  Otherwise a malicious program could gain access to
> your key without your knowning it.

You're right, it would be good to support it. I had some problems
figuring out a decent UI for it, though.

The best solution I could think of leads to configuration lines like
"AddKeyToAgent ask confirm". Most directives are a lot simpler than
that.

Otherwise, how would you feel about "AutoAdd ask",
"AutoAddRequireConfirmation yes"? (Better names would be welcome,
obviously.)

Finally, one could add a "default confirm" option to ssh-agent. I'm not
sure that is a good idea, though: it has very little to do with my
proposed change.

		Joachim

More information about the openssh-unix-dev mailing list