Can one set an agent timeout for a specific host?

openssh at tr.id.au openssh at tr.id.au
Thu Jun 6 07:59:12 AEST 2024


Hi Chris,

(Caveat: I haven't tried IdentityAgent before and I may also misunderstand what you're after.)

I don't see any mechanism in the provided config which would end up in timeout. According to man (5) ssh_config, IdentityAgent configures a socket number, not a timeout. I'm not sure if that's obvious, like I said I might have misunderstood something about what you're asking, or overlooked something about uses of IdentityAgent.

I suspect you may want the ConnectTimeout config if you haven't seen it yet. I also believe (meaning it makes sense to me but I haven't tested it) that when you configure this timeout, it will affect all connections to the host, not just that one key.

If you want to restrict the configuration to just one key, I might consider using `Match tagged` to distinguish between different modes.

Example configuration:

```
Match host backup tagged backup
    IdentityFile ~/.ssh/backup_id_rsa
    IdentitiesOnly yes
    ConnectTimeout 600

# General config for all connections to backup node
Host backup
    # put here whatever is true regardless of which key or authentication method you use
    # ...
```

Then to force the use of that one key and that timeout, make sure the client uses the `-P backup` option to trigger the `tagged backup` Match.

Alternatively, you can use something like `-F /path/to/backup/ssh_config` to keep the backup config separate to everything else in your default ~/.ssh/config.

~ Tim


On Wednesday, 5 June 2024 at 22:18, Chris Green <cl at isbd.net> wrote:

>
>
> If I set a timeout for a specific host's key does it set the timeout
> for just that key/host?
>
> I.e. if I do something like in ~/.ssh/config:-
>
> #
> #
> # backup, use public-key authentication
> #
> Host backup
> IdentityFile ~/.ssh/backup_id_rsa
> IdentityAgent 600
>
> Will it just time out the key saved for backup and leave any other
> keys with the default no timeout?
>
> --
> Chris Green
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list