Re: [gentoo-user] ssh-agent & RSA
2009/5/12 Philipp Riegger : > On Sun, 2009-05-10 at 22:18 -0700, Hilco Wijbenga wrote: > I would recommend you to try > > [I] net-misc/keychain > Available versions: 2.6.6 2.6.8 > Installed versions: 2.6.8(19:38:13 04/17/09) > Homepage: http://www.gentoo.org/proj/en/keychain/ > Description: ssh-agent manager I will have a look at that tonight. If that also fails, I guess I'll try reinstalling everything related to SSH.
Re: [gentoo-user] ssh-agent & RSA
2009/5/12 Etaoin Shrdlu : > On Tuesday 12 May 2009, 11:17, Etaoin Shrdlu wrote: > >> > Does ssh-agent really ask you for a passphrase when starting a >> > shell? >> >> Not if you don't invoke it :) > > Sorry, that is a bit unclear. Ssh-agent will never ask for a password. > It's ssh-add that does (if you run it after the agent), assuming the key > you're adding is password-protected. Ssh-agent most certainly asks for a passphrase (although it may be ssh-add that does the actual asking). As soon as I get to my first login screen (I don't start from a GUI login), and I have logged in, ssh-agent (or ssh-add, whatever) asks me for a passphrase for the DSA key it finds. But it consistently ignores the RSA key. Really, everything is (or at least seems to be) working wonderfully *for DSA*. As you also indicated, it *should* work for both DSA and RSA ... except that on my box it doesn't. :-(
Re: [gentoo-user] ssh-agent & RSA
On Sun, 2009-05-10 at 22:18 -0700, Hilco Wijbenga wrote: > Hi all, [...] I would recommend you to try [I] net-misc/keychain Available versions: 2.6.6 2.6.8 Installed versions: 2.6.8(19:38:13 04/17/09) Homepage:http://www.gentoo.org/proj/en/keychain/ Description: ssh-agent manager Philipp
Re: [gentoo-user] ssh-agent & RSA
On Tuesday 12 May 2009, 11:17, Etaoin Shrdlu wrote: > > Does ssh-agent really ask you for a passphrase when starting a > > shell? > > Not if you don't invoke it :) Sorry, that is a bit unclear. Ssh-agent will never ask for a password. It's ssh-add that does (if you run it after the agent), assuming the key you're adding is password-protected.
Re: [gentoo-user] ssh-agent & RSA
On Tuesday 12 May 2009, 06:35, Hilco Wijbenga wrote: > This works for me too but afterwards the key is completely ignored. > What happens if you do this and then restart the shell? Or better yet, > what happens if you logout completely and then log back in? For me, > the RSA key is completely ignored. The way ssh-agent is designed is to NOT survive after the shell it was started from is closed. That's why you should invoke it during your very first login shell, so that the variables it sets are exported to all child programs and subshells. If you do graphical login, I believe there's an equivalent tool that lets you run the agent from the parent environment. One way of doing that is to put its invocation in .bashrc, but then it will run a new copy each time a new login shell is started. So tools like keychain have been developed which run ssh-agent, ask for the password, and on subsequent invocations check if the agent is already running, and if so they don't ask for the password again. There's a nice article on keychain here: http://www.gentoo.org/proj/en/keychain/ > Does ssh-agent really ask you for a passphrase when starting a shell? Not if you don't invoke it :) > Or at least list the RSA key? For me it's only the DSA key that is > listed by ssh-agent (when it starts) and it's only for the DSA key > that ssh-agent asks for a passphrase. Note, that ssh-add -L still > lists the RSA key too! As far as I know, as soon as ssh-agent is started, it has no keys. It's your job (or keychain's) to add keys to ssh-agent's cache. But I'm not sure I understand what you're getting.
Re: [gentoo-user] ssh-agent & RSA
2009/5/11 Etaoin Shrdlu : > On Monday 11 May 2009, 07:18, Hilco Wijbenga wrote: > >> 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa > > 3. mv ~/.ssh/id_rsa ~/.ssh/id_dsa No, I had not tried that. :-) Exactly like that it doesn't work but if I do a copy instead of a move then, yes, it works. Ssh-agent finds the DSA key (still completely ignores the RSA key) in both cases but SSH can't use it unless the RSA key is there so copying "works". Somehow SSH is able to reuse the passphrase I typed for the DSA key when the RSA key is used. Very strange. > Seriously, did you try running ssh-add without arguments? Acrroding to > the man, "When run without arguments, it adds the files ~/.ssh/id_rsa, > ~/.ssh/id_dsa and ~/.ssh/identity". :-) Yes, *that* I had tried ... many times. I had read the same which lead me to believe this should work. > It wors for me with an RSA key, anyway: > > $ ls .ssh/ > id_rsa id_rsa.pub known_hosts > $ eval $(ssh-agent) > Agent pid 22390 > $ ssh-add .ssh/id_rsa > Identity added: .ssh/id_rsa (.ssh/id_rsa) This works for me too but afterwards the key is completely ignored. What happens if you do this and then restart the shell? Or better yet, what happens if you logout completely and then log back in? For me, the RSA key is completely ignored. Does ssh-agent really ask you for a passphrase when starting a shell? Or at least list the RSA key? For me it's only the DSA key that is listed by ssh-agent (when it starts) and it's only for the DSA key that ssh-agent asks for a passphrase. Note, that ssh-add -L still lists the RSA key too! > Did you try generating a new RSA key (just to see if it can be added)? Yep, and no it doesn't make any difference. I even tried the default bit length instead of -b 1536 that I normally use.
Re: [gentoo-user] ssh-agent & RSA
On Monday 11 May 2009, 07:18, Hilco Wijbenga wrote: > 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa 3. mv ~/.ssh/id_rsa ~/.ssh/id_dsa :) Seriously, did you try running ssh-add without arguments? Acrroding to the man, "When run without arguments, it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity". It wors for me with an RSA key, anyway: $ ls .ssh/ id_rsa id_rsa.pub known_hosts $ eval $(ssh-agent) Agent pid 22390 $ ssh-add .ssh/id_rsa Identity added: .ssh/id_rsa (.ssh/id_rsa) Did you try generating a new RSA key (just to see if it can be added)?
[gentoo-user] ssh-agent & RSA
Hi all, I'm running ssh-agent so I only have to type my passphrase once. At least that was the plan. I'm trying to use an RSA key instead of DSA. This does not seem to please ssh-agent. It seems to just look for id_dsa and ignore the id_rsa. (a) If I create a DSA key then it finds that and ignores the RSA key; (b) if I delete the DSA key so that there is only an RSA key then ssh-agent warns about the missing id_dsa and gives up; (c) if I give the DSA an empty passphrase then ssh-agent is happy but still ignores the RSA key. I can't find anything in man ssh-add or man ssh-agent about this behaviour. The man files says it looks for both files but so far I beg to differ. :-) There don't seem to be any config files for ssh-agent? Other things I've tried: 1. State "explicitely" in ssh-config to only use RSA: Host * IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa Protocol 2 Ssh-agent is not impressed. (Not too surprising as this file applies to ssh, not ssh-agent, but it was worth a try.) 2. ssh-add -D ; ssh-add ~/.ssh/id_rsa This is completely ignored. Ssh-agent simply behaves as in a, b, and c (and, for a and c, puts the DSA key right back in the list). I'm out of ideas. :-( Could anyone offer a suggestion? Does anyone have ssh-agent working with an RSA key? Please note that using a DSA key works. In that case ssh-agent finds the key, asks for a passphrase and from then on I can use the key without typing the passphrase. So I believe that I have set things up correctly. Also note that I can use the RSA key, it's just that I have to type the passphrase every time. Cheers, Hilco
Re: [gentoo-user] ssh-agent
On Monday 12 February 2007 23:26, Justin Patrin wrote: > On 11/21/06, Jorge Almeida <[EMAIL PROTECTED]> wrote: > > On Tue, 21 Nov 2006, Mick wrote: > > >>> They are only stored in locked memory; they are never on disk > > >>> unencrypted. Anyone that can read locked memory can access them, but > > >>> this is very few users/processes on Linux -- and besides those same > > >>> users will be able to read the key as you authenticate even if you > > >>> don't use ssh-agent, as long as they time things right. > > >> > > >> OK, this sounds better! I posted to the gnupg-users, asking a similar > > >> question about gpg-agent. I guess gpg-agent works the same way. > > > > > > Please post back your findings! > > > > Well, no responses yet in the gnupg-users list, so there are no findings > > to post! (Let's wait at least a few hours :)) > > > > > What happens to the /tmp/ directory & socket file after the user logs > > > out? Does it get deleted by the ssh-agent shutdown script? > > > > I didn't start using ssh-agent yet, but I tested it from the command > > line and the directory was removed when I killed the ssh-agent process. > > > > > I am asking this because I seem to continuously accumulate a load of > > > gpg-agent directories and socket files into my /tmp. Unless of course > > > gpg-agent works > > > > I suppose that has to do with the agent(s) working as daemons? I don't > > like that kind of setup. This is what I intend to (try to) do: > > > > - One fixed socket, in some dedicated directory (no /tmp, no random name > >for the socket) > > - The socket name as a fixed env variable, set in the shell config files > > - Hence, no need to eval, etc > > - No daemon (i.e. no backgrounding). Just a service supervised by > >daemontools. Logs go to a directory of my choosing and if the agent > >dies, it is ressurrected, and the socket (with the same name) is > >recreated (of course, keys must be added, then) > > - A perl script to interact with the service, just in case. > > > > I think this is not difficult to do, unless I grossly misunderstood > > something essential. (Comments, anyone?) I just don't see the need to > > run the agent as subordinate of an X session or whatever (please someone > > correct me if I'm wrong!) And if I don't want the service running when > > I'm not logged in, I could bring it down with the perl script (in > > ~/.bash_logout, maybe?) > > For gpg-agent, I'm not so sure, but I hope it can be done too. > > > > > on a different principle all together. My start up & shutdown scripts > > > are in /etc/X11/Sessions/fluxbox. Are they correct for this task? > > > > > > eval "$(gpg-agent --daemon)" > > > /usr/bin/startfluxbox > > > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` > > > > > > > > > Or should I have another line to 'rm -Rf /tmp/gpg-*' > > ssh-agent /bin/sh > > When you exit the shell, ssh-agent exits too (after cleaning up). > Running the agent as a daemon means you have to tell it when to shut > down as well (how would it know when to stop?). Thanks Justin, the ssh-agent may clean up after its own lock-files, but the gpg-agent doesn't. At least not when using my script above. My /tmp is full of gpg- lock-files, which in the absence of a better solution I manually delete every now and then. -- Regards, Mick pgpI61qjQWcCo.pgp Description: PGP signature
Re: [gentoo-user] ssh-agent
On 11/21/06, Jorge Almeida <[EMAIL PROTECTED]> wrote: On Tue, 21 Nov 2006, Mick wrote: >>> They are only stored in locked memory; they are never on disk >>> unencrypted. Anyone that can read locked memory can access them, but this >>> is very few users/processes on Linux -- and besides those same users will >>> be able to read the key as you authenticate even if you don't use >>> ssh-agent, as long as they time things right. >> >> OK, this sounds better! I posted to the gnupg-users, asking a similar >> question about gpg-agent. I guess gpg-agent works the same way. > > Please post back your findings! > Well, no responses yet in the gnupg-users list, so there are no findings to post! (Let's wait at least a few hours :)) > What happens to the /tmp/ directory & socket file after the user logs out? > Does it get deleted by the ssh-agent shutdown script? > I didn't start using ssh-agent yet, but I tested it from the command line and the directory was removed when I killed the ssh-agent process. > I am asking this because I seem to continuously accumulate a load of gpg-agent > directories and socket files into my /tmp. Unless of course gpg-agent works I suppose that has to do with the agent(s) working as daemons? I don't like that kind of setup. This is what I intend to (try to) do: - One fixed socket, in some dedicated directory (no /tmp, no random name for the socket) - The socket name as a fixed env variable, set in the shell config files - Hence, no need to eval, etc - No daemon (i.e. no backgrounding). Just a service supervised by daemontools. Logs go to a directory of my choosing and if the agent dies, it is ressurrected, and the socket (with the same name) is recreated (of course, keys must be added, then) - A perl script to interact with the service, just in case. I think this is not difficult to do, unless I grossly misunderstood something essential. (Comments, anyone?) I just don't see the need to run the agent as subordinate of an X session or whatever (please someone correct me if I'm wrong!) And if I don't want the service running when I'm not logged in, I could bring it down with the perl script (in ~/.bash_logout, maybe?) For gpg-agent, I'm not so sure, but I hope it can be done too. > on a different principle all together. My start up & shutdown scripts are > in /etc/X11/Sessions/fluxbox. Are they correct for this task? > > eval "$(gpg-agent --daemon)" > /usr/bin/startfluxbox > kill `echo ${GPG_AGENT_INFO} | cut -d ':' -f 2` > > > Or should I have another line to 'rm -Rf /tmp/gpg-*' > ssh-agent /bin/sh When you exit the shell, ssh-agent exits too (after cleaning up). Running the agent as a daemon means you have to tell it when to shut down as well (how would it know when to stop?). -- Justin Patrin -- gentoo-user@gentoo.org mailing list