Stuart Henderson wrote: > On 2016-08-03, Hugo Osvaldo Barrera <h...@barrera.io> wrote: > > Doesn't the fact that ssh-agent is running somehow make the keys > > accessible anyway? > > If it's running and you haven't told it to forget the keys one > way or another: yes. > > Some screen lockers allow you to run another program; > one thing you can do is run "ssh-add -D" to kill the keys when > you lock. Alternatively when you start ssh-agent you can use > the -t flag to set the lifetime of the key; if you do this > ssh-agent will expire added keys automatically after this > timeout. (for the latter if you use xdm you'll need to edit > Xsession). > > By itself this can be annoying as you normally have to run > ssh-add to add the keys back in before you can use them. But > if you use "AddKeysToAgent yes", ssh will prompt you for the > key passphrase when it needs it (i.e. after the lock/timeout) > and add them to the agent automatically. So it works rather > like sudo's password timeout - very convenient, and it avoids > the keys hanging around in your agent for longer than needed.
That is a damn good advice! Predrag