Repost: [patch] Automatically add keys to agent
Joachim Schipper
joachim at joachimschipper.nl
Tue Jan 19 00:22:04 EST 2010
On Mon, Jan 18, 2010 at 01:54:42PM +0100, Joachim Schipper wrote:
> On Sat, Jan 16, 2010 at 05:15:47PM -0500, Jameson Rollins wrote:
> > On Sat, Jan 16, 2010 at 08:34:30PM +0100, Joachim Schipper wrote:
> > > On Tue, Jan 12, 2010 at 01:24:34AM +0100, Joachim Schipper wrote:
> > > > My keys are secured with a passphrase. That's good for security, but
> > > > having to type the passphrase either at every login or at every
> > > > invocation of ssh(1) is annoying.
> > >
> > > > Hence, this patch. I'll just quote ssh_config(5):
> > > >
> > > AddKeyToAgent
> > > If this option is set to ``yes'' and ssh-agent(1) is running, any
> > > keys used will be added to the agent (with the default lifetime).
> > > Setting this to ``ask'' will cause ssh to require confirmation
> > > using the SSH_ASKPASS program before the key is added (see
> > > ssh-add(1) for details). The argument must be ``yes'', ``ask'',
> > > or ``no''. The default is ``no''.
> > (...) I wasn't a big fan of your dismissal of the ssh-add -c
> > option. I think that is a very important option that everyone should
> > be using. You should always want to be informed if anything is trying
> > to use your key. Otherwise a malicious program could gain access to
> > your key without your knowning it.
>
> You're right, it would be good to support it. I had some problems
> figuring out a decent UI for it, though.
>
> The best solution I could think of leads to configuration lines like
> "AddKeyToAgent ask confirm". Most directives are a lot simpler than
> that.
It just hit me that "AddKeyToAgent yes/confirm/ask/no" should work.
"Confirm" would add the key without asking, but require confirmation
before each use.
After all, asking whether the key should be added *and* confirming each
use seems excessive.
I'll roll a new patch with this change.
Joachim
More information about the openssh-unix-dev
mailing list